pfsense DNS Host Overrides

pfsense DNS Resolver Documentation
docs.netgate.com/pfsense/en/latest/services/dns/resolver.html
My latest pfsense tutorials can be found here:
lawrence.technology/pfsense/

@Lawrence Systems , Working as an IT Engineer with a great company now and I just want to say thanks for your knowledge and videos teaching a lot of concepts. You have helped me a lot in my career. Been watching you for years. Thanks for what you do.

I had this exact problem a few weeks back, being new with pfsense and after a fair amount of Wiresharking and Googleing I found a post on the pfsense forums that explained it. Great you make all these videos!

Thank you for doing this video! No one else seems to want to explain how to do a host override and the documentation is way over my head. I see now it is super simple. Thanks again!

Don't usually comment, I am more of a 'like' and 'save to playlist' kinda guy... But this damn thing was irritating me for so long... and it turned out to be so SIMPLE! Thanks alot... btw, your channel (along with a few others) are the backbone of my homesever setup... soon would be launching my own MSP from it... so yeah... Thanks again!

Will you please put out a video with the right way to do NAT Reflection as I’ve never been able to make that work. Thanks!!!

Thanks for this, actually helped an issue I was having!

Thank you so much for this video!!! I've been struggling with setting up my internal DNS and you showed me how to fix it.

This is also known as split dns which we use mainly for email servers.

Another DNS/Firewall trick is to configure the firewall "DNS forward" or "DNS Redirection" (the term varies by platform) to use your internal DNS servers for your private domain. Example: forward myoffice.lan to your internal servers. Two benefits: your ISP (or upstream dns proxy) no longer gets requests for a non public domain name and you can still use your firewall as a DNS proxy (internet resolution works if your internal DNS is down), presuming your set your DHCP DNS settings to permit this.

0:08 I am convinced that most home lab users go through the same arch while setting up pfsense, wireguard or some other tunnel, externally exposing servers with your own domain and certificate, and then exposing them again internally to work again.

It's an older post, but still works! Thank you Lawrence for creating this information.

I have more complex chain, but it does the same. My Active directory has forwarders to my Bind DNS server then they point to forwarders to pfSense SSL unbound, because bind does not support TLS. All computers point to active directory dns. Bind has two views for internal network(resolves internal queries) and external(resolves internet queries), they point to pfSense for internal queries for external addresses this works over TLS.

It is called:
Split DNS!!
Dah!!

That’s a great way to get the SSL via OpenSSL client in cmd line. I think I’ll have to use that more often.

Those DNS Host Overrides are very useful when having a reverse proxy or a web server with multiple sites when they should only be available inside the local network. Without it the web interfaces of most of my docker containers wouldn't be accessible.

How about just using dual-stack (ipv4 and ipv6) network? Internal and external connecrions to internal resources will automatically be correctly routed on ipv6 without any intervention into DNS. Furthermore DOT/DOH on clients within internal network won't break anything

Great video, thanks Tom! I've also found that you can set the DHCP Registration and Static DHCP options in the DNS Resolver configuration section so you if you create static DHCP mappings or if your server has a hostname during DHCP then those entries would automatically get entered as DNS overrides. It's amazing to me how powerful pfSense is and this is just another area. I would also like to see a video on NAT Reflection. I know you had set in a haproxy video but I can't seem to get it working correctly.

Thank you so much

I use host override DNS for VPN clients so that remote work clients can access haproxy frontends through VPN LAN IP and avoid exposing HTTP services to whole world. The requirement is though that the remote worker connects to VPN and their DNS is forced through the VPN (which you can do with OpenVPN).

What would you say best practice is for service CNAMEs? Things like syslog.example.com --> hostname1.example.com, zabbix.example.com --> hostname2.example.com, etc.
Currently I have some local-data fields added to the advanced/custom field in Unbound config, but is there a simpler way to do this? PfSense is my dhcp and DNS server, as well as primary router.

Using pfsense direct to fibre I get issues with jetpack. Not able to loopback. I wondering if this could be to do with this.

do you have to open ports and point them to pfsense ip?
following steps and not seeing anything over browser.

I have configured OpenDNS Server on LAN with DHCP... I want to by pass an Alias from OpenDNS Server.... I wan to direct that Alias through GoogleDNS? How to do it sir

Is NAT Reflection mode for port forwards, not doing the same when setting it to pure NAT or NAT + proxy?

I overthink-ed too much and before this I make Hairpin NAT for the same results.
Gonna test this method.

I have a two PFsense running, one at home and one at our remote small office. I have IP cameras on both locations. I port-forwarded them and they work. They will be on a VLAN soon. I can watch the cameras on my mobile (Android using IP CAM Viewer - doing this for years) However, when I am home I cannot see them over my own LAN. Is there a video that addresses that? Thank you.

Thanks for video. If I have a site that uses AD joined computers but there's no on-prem AD, and the AD server is in the cloud, is there a way to get the computers to talk to AD that way still over an IPSec tunnel? Would that require this DNS override?

Thanks this helped on an single IP tho but not across the board I don't know what ive done but ive done or enable something for my noip address to on the pfsense to stop it communcatting correctly port fwd rules use to work but now they dont and now dont resolve or just gives that error is there an way to revert as this is starting to anny me i dont want to have to be filling out lots of host overrides vpn works fine but this rebound thing is starting to get annoying where do you think you can point me towards a fix if possible

Nice!!!! Thanks bro

I am not able to access my host overrides via vpn.. I have searched for hours and i am hoping someone is able to help thanks!

does this work the same for windows machines wherein you edit the host file under system32>drivers>etc?

I use this with ha proxy. I run two frontends with a wild card certificate. I use one that all my overrides point to so I can navigate to all of my docker containers internally with https. The other I use to only expose services I want remote access to without a vpn (plex, channels dvr, etc...).

Hi Tom, thanks for your videos, they've helped me a lot so far in my pfSense journey.
Question: is there a reason why you leave "Outgoing Network Interfaces" at the default "all"?
I have a couple of pi-holes as DNS servers on my LAN DHCP server and Cloudflare servers defined under System/General Setup.
The thing is that every once in a while I get loads of concurrent DNS queries which always lead to my LAN (including pfSense) beeing unreachable.
I can reach pfSense via Wireguard from my phone and do a pfsense reboot after which everything returns to normal.
I thought maybe the "Outgoing Network Interfaces" setting is causing somehow a conflict.
ps. i just now increased some of the buffer settings under advanced settings from the DNS resolver to see if it helps.

how to use pfblockng (dnsbl) for all ip with routed? please help me bro

dnsmasq has a feature called IP aliasing (evidently Cisco calls it DNS Doctoring) which allows you to provide a map of all your NAT IPs and it will automatically replace any returned results, so no manual override required. It would be cool if unbound had the same option and pfSense would automatically load the values from the NAT configuration. I thought there was a similar feature in unbound, but I can't find it now.

Is there an easy way to override all google.* to the google-safe-search ip?

Other method is to use VIP for haproxy

not sure why I would need to do this if using HAproxy package on pfsense. Yes the address would be resolved to my pfsense wan address but then the router would just do its job and re-route to correct server. On top of that, since you're doing it this way, you know your ssl will be correct since you're hitting the wan ip.

If you're connected via VPN (for example OpenVPN) to your network, how does the OS know which DNS server to use? I know there is 'block-outside-dns' for OpenVPN in windows, but not for Linux. Blocking other DNS-servers also tunnels everything through the VPN

Thank you boss for that video but i need to ask you my problem for local dns i have active directory domain in windows server when i enable dns resolve in pfsense i can't join any pc clients to my domain and if i disabled dns resolve in pfsense i can join any pc clients to domain but no internet connection can you tell me how i fix that problem step by step i have to much problem for that issue thank you again and best regards, wael

Are TNSR tutorials in your future channel pipeline? If so, when would it be?

Just to mention that the CN is not always honored, you need to add the name you are covering with the certificate on the SAN section, Chrome, Firefox and probably others does not honor the CN section, that's why you have the little yellow warning. IE still does, but in few months he will be EOL :)