Internal DNS Resolution (router mode) & DNS Suffix
So far I've been liking the FWG but for the inability to use my local DNS. How can I set up the FWG in router mode to resolve internal resources by name vs. IP? It'd also be nice to change the suffix to something like example.com instead of just the TLD (currently defaulted to .lan). I have 3 LANs and if I have to multi-home the NIC on a internal DNS server I am not opposed to that as well.
Previously I had everything pointing to a PiHole instance, which used internal (Windows) DNS as upstream DNS - which used Cloudflare as their upstream. In that way I got internal resolution and ad blocking.
-
the .lan can be changed Tapping Network->tap on LAN segment->Tap on "Domain Name"
If you have an external DNS server (like pihole) on the same segment as the devices using that DNS server, The DNS packet will NOT go to firewalla, so you pretty much need to control that on your own. Not sure if this is an issue for you.
-
I had tried that before, both on the wireless VLAN and it worked fine, but the wired VLAN (also the same one the FWG is on) and things go sideways - things will work sporadically for a few minutes, and then stop, etc. Once I change that VLAN back to handing out the FWG as the DNS server things begin working again.
I changed the wireless VLAN that I use to use the pihole and it's working fine so far - so that's good. I am reluctant to change the wired one based on the previous experience. If I'm doing something wrong, do let me know.
The domain name field only takes like a TLD - I can change 'lan' to 'mydomain' but not 'mydomain.com' as it throws an error - is this by design?
-
I have a similar thread here:
I'm currently working with Firewalla support on the workaround suggested of setting the DHCP scope DNS to the IP of the Gold while setting the upstream DNS cache DNS to my internal Windows based DNS server for local domain resolution before it forwards out to the internet. It's working well in most of my devices with the exception of my son's PC which is in a restricted "kids" group in for Gold. That group has some filters and rules enabled, as you might imagine, and for some reason the upstream DNS forwarding to resolve my local domain doesn't work. I can remove the device from the group and it starts working, so hoping we're able to figure it out.
The ability to set conditional DNS forwarders would be ideal. Then I'd just set "xyz.local" to point to my internal DNS server and be done with it.
FWIW I'm also not find the option to change .lan to something like "xyz.local" across all my devices either.
-
The pihole is actually now in both. Based on the first reply, I added a second NIC to the pihole VM so could configure the wireless VLAN to have it for primary DNS on the wireless scope - working like a charm so far. I did try again to configure the wired VLAN (same one the internal IP of the FWG is on) and stuff went weird.
Is there some sort of conflict with Firewalla where if that VLAN is using internal to to pihole, which then upstreams to the internal Windows DNS, and then goes out to the internet, and Firewalla then maybe intercepts it on UDP/53...does it then do like a DNS loop..?
-
Do you mean the upstream DNS server of the pihole in wired VLAN is another host in the same VLAN? If yes, you may need to disable DNS booster on that internal upstream DNS Windows host. You can disable DNS booster in the app in "Advanced" -> "Configurations" -> DNS Booster. Otherwise, the DNS from that windows DNS server will be forwarded to the pihoe again, causing a DNS loop.
-
Ah, that fixed it. I couldn't remember where to find the DNS booster settings per-device. It would be nice to have a 'search' feature for the configuration settings.
The article I remember seeing about the DNS loop was the one written for installing pihole on the FWG itself, in the comment thread. You'd responded similarly.
Thanks for your help with the DNS - as far as the search domain - anyway to add add the second level domain in addition to the TLD (i.e., example.com instead of just .com or .example), or more than one search domain?
-
What is best practice for FWG and LAN DNS, with the default config clients use 192.168.1.254 but I see very slow / poor resolution - is this the FWG server or the WAN connection DNS servers that perhaps FWG is using ?
If I set the FWG LAN to issues 1.1.1.1 and 8.8.8.8 it's much better but am I bypassing a problem, will break something else (FWG rules etc.) ?
-
@Tom
If you are encountering issues on the LAN side, you need to check what DNS you setup on the WAN side.
For example, if 192.168.1.254 is FWG, then the DNS request will go to FWG, and then forwarded to your WAN DNS.
If you set 1.1.1.1 on the LAN segment, then DNS request will still go to FWG, and then forwarded to 1.1.1.1
-
Correct the clients were using the FWG LAN IP for DNS, so I suspect the upstream DNS on the WAN port was the issue. Is there an effective way for me to prove that next time, i.e. SSH to the FWG and test DNS that way ?
Changing FWG LAN to use 1.1.1.1 / 8.8.8.8 made a massive difference, so no harm leaving it like that - this will then override the WAN port DNS servers (DHCP from the ISP) ?
-
Yes, if you change the LAN segment DNS, it will bypass WAN settings (likely from your ISP). If you do have issues, you should also change the WAN settings to 1.1.1.1/8.8.8.8, it will make the box more stable.
We usually don't ask people to mess with the WAN DNS, but in case you have issues, best to change. (not all ISP's DNS are the same ... but in general the popular ones are more stable, and the ISP ones likely a ms or two faster
Please sign in to leave a comment.
Comments
14 comments