1.
Providing Local DNS
Using the DNS Resolver and DNS Forwarder
August 2016 Hangout
Jim Pingle

2.
About this Hangout
● Project News
● DNS Overview
● When to use the firewall for DNS (and not to)
● DNS Resolver vs DNS Forwarder
●
Host Overrides
● Domain Overrides
●
DNS and VPNs
● DNS and Multi-WAN
●
DHCP and DNS
● How the firewall assigns DNS servers to clients
●
Intercepting DNS at the Firewall
● Miscellaneous additional DNS Resolver/Forwarder tidbits

3.
Project News
● 2.4 ALPHA snapshots available soon!
– Not production ready, only for alpha-level testing!
– ZFS installer (for systems with sufficient RAM)
● More info on uFW (microFirewall)
– Video posted of pfSense 2.4 alpha snapshot running on uFW:
https://twitter.com/gonzopancho/status/761467197118046208
– Photo of the board and case
● Official pfSense training in Saint Petersburg, Russia, during September
● Official pfSense Facebook Page
– https://facebook.com/pfsense
● New Official pfSense Facebook Group
– https://www.facebook.com/groups/pfsense.official

4.
What is DNS?
● Domain Name System
● Translates host names into IP addresses
● Clients must talk to IP addresses, not names, so DNS makes it easier
for humans to give addresses to clients without having to memorize IP
addresses
● For example: www.example.com to 203.0.113.65
● There are other types of records as well for various tasks:
● A for IPv4 address, AAAA for IPv6 address, PTR for reverse DNS, MX for mail
exchange host for a domain, CNAME, SRV, TXT records, etc.
● Hierarchal structure: Clients talk to recursive forwarders or resolvers,
forwarders talk to recursive resolvers, resolvers talk to roots and
authoritative servers

5.
How Does DNS Work?
● Clients query a DNS server using UDP port 53 and ask it for a
record of a specific type. Depending on the size of the result,
the connection can switch to TCP on port 53.
● If the forwarder or resolver knows the host locally or has the
answer in the cache, it replies back with the result, or it asks
upstream (to a recursive resolver, or roots)
● A resolver will ask the root servers for the source of authority for
a domain, and then contact the authoritative servers listed in the
response for the answer to the original query.
● The answer is passed back down to the client
● Note: The forwarder must talk to upstream recursive forwarders
or recursive resolvers. A resolver can operate independently
and can talk to the root DNS servers and other servers directly.

6.
Why use the firewall for DNS?
● The firewall is placed conveniently to handle DNS for local clients
● Host and domain overrides allow customization and control over
DNS responses given to clients
● Easy integration with the DHCP server on pfSense for resolution
of client hostnames
● Locally caching DNS responses can speed up resolution and
save time/resources on repeated or frequent queries
● More efficient selection of upstream DNS servers, minimizes
downtime due to slow or broken DNS servers
● Less effort than running a dedicated full-featured DNS server, at
the expense of some features

7.
When NOT to use
Resolver/Forwarder
● For complex DNS setups, such as:
– Multiple sites sharing the same domain name where all hostnames must be
visible to all clients
– Providing different responses to different sets of local clients (“views”)
– Clients that must register hostnames in different domains on the same local
segment
● When a local network contains an Active Directory domain
– In these cases, it is best to use the AD structure for DHCP and DNS for proper
registration of clients, proper service location, and client hostname resolution
– You can use the firewall DNS resolver/forwarder as an upstream forwarder for
the AD DNS server, but clients should not use it directly
● For providing authoritative answers to public clients

8.
DNS Resolver Overview
● Default since pfSense 2.2.x
● Uses Unbound, a secure caching resolver included in FreeBSD
● Can operate independently without manually configured upstream DNS servers
● As a resolver, by default it contacts root DNS and other authoritative DNS servers directly and not the
defined forwarding servers
– Better “out of the box” behavior as it does not require the user to configure DNS in any way before it is completely
functional
– May have issues if the ISP filters or rate limits access to other DNS servers
– Multi-WAN can be tricky
● Can also operate in forwarding mode using upstream DNS servers
– Has all defined, but randomly selects a DNS server from System > General Setup, switches if slow/down
– unbound-control -c /var/unbound/unbound.conf lookup .
● Can easily use Domain Name System Security Extensions (DNSSEC) for secure DNS
– Provides authentication and integrity confirmation, preventing forged/spoofed responses, no encryption
– Works in resolver mode, and in forwarding mode if forwarders support DNSSEC
● Many options for tuning and optimization
● Scales better for large numbers of clients
● Better security / access control

9.
DNS Forwarder Overview
● Uses dnsmasq, a lightweight caching DNS forwarder
● Requires available upstream DNS servers, either
manually configured under System > General Setup or
obtained automatically (e.g. DHCP or PPPoE)
● By default, queries all DNS servers in parallel and
returns the fastest result
– Robust but can counteract intentional preferential ordering
of servers
– Works well for Multi-WAN

10.
Host Overrides
● Works the same in the DNS Resolver and DNS
Forwarder
● Custom DNS A/AAAA records that either return answers
for hosts that do not exist in upstream DNS or overrides
an upstream response with a custom local response
● Can be used to define local server hostnames, hosts for
use with VPNs, testing/development hosts, etc
● Can also be used to override responses for split DNS or
mild blocking (e.g. return a bogus result for
facebook.com)

11.
Domain Overrides
●
Define a different upstream server for queries on a specific domain
●
All queries for hosts under the specified domain will be sent to the
given server
●
Useful for local domains (e.g. AD) or DNS across a VPN
● DNS Resolver overrides use Forwarding zones, not Stub zones
– Switched between 2.2.x and 2.3
– Stub zones only work if talking directly to an authoritative server
●
DNS Forwarder can set a source address for the queries, which
helps with IPsec
●
DNS Forwarder can also make exceptions for subdomains to pass
to normal DNS, or to prevent a domain from being queried on other
servers (local only)

12.
VPNs and firewall DNS
●
When a VPN or private link connects multiple sites, domain overrides can allow each
site to query the others
– Each site must be using a different domain or subdomain!
●
OpenVPN will work fine
– queries sourced from the VPN tunnel network
– May need to account for that in DNS ACLs/Firewall rules
●
When using the DNS Forwarder and IPsec, set the source address to be a LAN IP
address or another local IP/interface inside the IPsec P2
●
When using the DNS Resolver and IPsec, set the outgoing query interface to be LAN
or other local interface in the IPsec P2
– Alternately, use the gateway+static route trick on the wiki:
https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_se
rvices_initiated_by_the_firewall_itself_over_IPsec_VPN
●
If all DNS queries must flow through other side, then:
– DNS Resolver: Enable forwarding mode, configure other side’s DNS server under System >
General Setup & disable DNS from DHCP/PPPoE
– DNS Forwarder: Configure other side’s DNS server under System > General & disable DNS
from DHCP/PPPoE

13.
Multi-WAN and firewall DNS
●
Both DNS Resolver and DNS Forwarder can be compatible with
Multi-WAN, with some adjustments
●
DNS Resolver by default queries random root servers and other
authoritative servers, so to use it with Multi-WAN, enable Default
Gateway Switching (System > Advanced, Misc)
●
For DNS Forwarder, visit System > General Setup and configure at
least one unique DNS server per WAN and choose a gateway for
each one
● DNS Resolver can be set for Forwarding mode to use the same
method, but DNSSEC may need to be disabled depending on the
upstream forwarding servers
●
...Or set clients to use public IP address DNS servers directly and
their DNS requests will policy route like the rest of their traffic

14.
DHCP and DNS
● Both the DNS Resolver and DNS Forwarder support registration of DHCP
hostnames for dynamic and static leases
● Domain for this feature is assumed to be the domain of the firewall itself, not
the domain configured in DHCP options
● The dhcpleases daemon monitors the DHCP leases file and populates the
hostnames into the DNS Resolver or Forwarder
● Clients must supply their own hostname for dynamic leases, for static leases
the configured hostname on the static mapping is used
– Clients which provide an invalid or blank hostname will not resolve
● Be wary of using a domain directly rather than a subdomain, to avoid a
troublesome host providing a name such as “www”
● In HA, the hostnames are not exchanged between HA nodes, this is an ISC
DHCPD bug they need to fix upstream

15.
Assigning DNS servers to clients
● When using pfSense as a DHCP server, clients are
automatically assigned DNS servers based on several
criteria:
– If DNS servers are defined in the DHCP settings, they are
always used, otherwise...
– If the DNS Resolver or DNS Forwarder are enabled, the IP
address of the firewall is given to clients, otherwise...
– If DNS servers are defined under System > General Setup,
those are given to clients, otherwise…
– If none of the above are defined, then DNS servers are not
provided to DHCP clients

16.
Capturing DNS Requests
●
To prevent clients from reaching undesirable external DNS servers, capture the DNS
requests at the firewall
●
Probably not a great idea for a public access network without consent from the users
or notice
●
Alternately, block access to all DNS except for the firewall itself.
●
Port forward contents:
– Interface: LAN
– Protocol: TCP/UDP
– Destination: NOT checked, LAN Address
– Destination Port Range: 53 (DNS)
– Redirect Target IP: 127.0.0.1
– Redirect Target Port: 53 (DNS)
●
Any client request for a DNS server will instead be redirected to the DNS Resolver or
Forwarder

17.
Misc
● Both the DNS Resolver and DNS Forwarder provide DNS Rebinding Protection
– This protection prevents an upstream DNS server from providing a private IP address
response, to help protect against attacks redirecting you unknowingly to a local device
– Sometimes private responses from servers can be desirable in certain exception cases
– Can be selectively disabled or globally disabled
– DNS Resolver:
server:
private-domain: "example.com"
– DNS Forwarder, use custom options:
rebind-domain-ok=/example.com/
● Both support selective interface binding to restrict where queries are answered
– DNS Resolver also has a control to select outgoing query interfaces
● Both can be run at the same time on different port numbers
– Redirect clients to the alternate one using a port forward
● Test queries using Diagnostics > DNS Lookup

18.
Misc
● Logs for both under Status > System Logs on the DNS Resolver tab
under System tab
● Both can be set to log queries for diagnostic purposes using the custom
options box:
– DNS Resolver:
log-queries: yes
– DNS Forwarder:
log-queries
● Both can be configured to handle wildcard addresses using the custom
options box:
– DNS Resolver:
server:
local-zone: "example.com" redirect
local-data: "example.com 86400 IN A 192.168.1.54"
– DNS Forwarder:
address=/example.com/192.168.1.54

19.
Conclusion
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc