Robert's Virtual Networkingeast82.com

BIND DNS UbuntuConfigure DNS forwarding on pfSense

A little background

If you checked out the previous DNS how-to  you know that DNS forwarding simply takes requests the DNS server cannot resolve and forwards them to another DNS server. So, why implement forwarding on the DHCP server when we already have it configured on our DNS server? We have some DHCP clients on our network that are not listed in the DNS records and we'd like a means for them to find one another on the LAN.

If this were a Windows only network, then Windows clients would use NetBIOS over TCP/IP to discover one another. Additionally, they would register their DHCP leases with the Windows DNS server. Registration of Windows and Linux DHCP leases in Linux servers running BIND DNS is possible (and more elegant) than the methods outlined here, but we only want to use this how-to as a learning point. Another solution might be to install Samba on our Linux machines.

Configuring the firewall (pfSense)

The original DNS setup is this

  • My Ubuntu server, kasparov, IP address 192.168.11.3 is the primary (and only) DNS server on the LAN. Requests is cannot handle are forwarded to my ISP's DNS servers. Several entries are made for kasparov and lasker (W2K3 server).
  • DHCP address are handed out by pfSense firewall, fischer, IP address 192.168.11.2. These are not updated in kasparov. Hence, while we can contact machines by IP, we cannot contact DHCP clients by name. This is an inconvenience, not a necessity.
  • DHCP clients are given kasparov as the primary DNS server. All the important IP addresses exist in this DNS server's database, servers, email, web.

What we will do is the following. Enable DNS forwarding on pfSense. The effect of this is that the firewall will store DHCP leases, perform resolution for these leases and assign itself as the DNS server in the DHCP scope. Statically assigned IP machines will still point to kasparov for DNS resolution.

Take a moment ....do, you see the disconnect here? DHCP clients will resolve with one another and, through forwarding, resolve to our servers (those with static IP addresses), however servers will not resolve clients with DHCP assigned addresses, because they will not consult the firewall for resolution.

So, you may protest, why don't you just enter fischer's IP, 192.168.11.2 in the forwarding table on kasparov?? That way everyone can resolve everybody on the LAN. Here is why ...fischer is NOT a DNS server, it merely consults its DHCP leases to resolve those and forwards all others. You can, however, install the DNS package on a pfSense firewall to get things functioning in its entirely. And so on and so forth.

Before the change, let's look at our /etc/resolv.conf on euwe, our Ubuntu workstation:
resolv.conf screenshot

Access fischer from a web browser and navigate to System >> General Setup. Find the DNS section and  ensure "Allow DNS server list to be overridden by DHCP/PPP on WAN" checkbox is unchecked. Save changes This affects the pfSense forwarders. We want pfSense to forward to the servers we define in the textboxes in this section, not the DNS servers on the Internet:
firewall general setup

Next, navigate to Services >> DNS forwarder. and check the boxes labeled "Enable DNS forwarder" and "Register DHCP leases in DNS forwarder". Save changes. This will do what we discussed earlier.
DNS forwarding

Go ahead and renew the IP on euwe:

sudo dhclient -r
sudo dhclient
  

After the changes:
resoln.conf after

./Robert