Internal DNS Resolution (router mode) & DNS Suffix

Comments

14 comments

  • Avatar
    Firewalla

    the .lan can be changed Tapping Network->tap on LAN segment->Tap on "Domain Name"

    If you have an external DNS server (like pihole) on the same segment as the devices using that DNS server,   The DNS packet will NOT go to firewalla, so you pretty much need to control that on your own.   Not sure if this is an issue for you.

    0
    Comment actions Permalink
  • Avatar
    Chris M

    I had tried that before, both on the wireless VLAN and it worked fine, but the wired VLAN (also the same one the FWG is on) and things go sideways - things will work sporadically for a few minutes, and then stop, etc. Once I change that VLAN back to handing out the FWG as the DNS server things begin working again.

    I changed the wireless VLAN that I use to use the pihole and it's working fine so far - so that's good. I am reluctant to change the wired one based on the previous experience. If I'm doing something wrong, do let me know.

    The domain name field only takes like a TLD - I can change 'lan' to 'mydomain' but not 'mydomain.com' as it throws an error - is this by design? 

    0
    Comment actions Permalink
  • Avatar
    Chris Dillard

    I have a similar thread here:

    https://help.firewalla.com/hc/en-us/community/posts/360050179954-Active-Directory-DNS-Configuration-With-Gold

    I'm currently working with Firewalla support on the workaround suggested of setting the DHCP scope DNS to the IP of the Gold while setting the upstream DNS cache DNS to my internal Windows based DNS server for local domain resolution before it forwards out to the internet. It's working well in most of my devices with the exception of my son's PC which is in a restricted "kids" group in for Gold. That group has some filters and rules enabled, as you might imagine, and for some reason the upstream DNS forwarding to resolve my local domain doesn't work. I can remove the device from the group and it starts working, so hoping we're able to figure it out. 

    The ability to set conditional DNS forwarders would be ideal. Then I'd just set "xyz.local" to point to my internal DNS server and be done with it.

    FWIW I'm also not find the option to change .lan to something like "xyz.local" across all my devices either. 

    0
    Comment actions Permalink
  • Avatar
    Support

    Where is the pihole located? Is it in wired VLAN or wireless VLAN?

    0
    Comment actions Permalink
  • Avatar
    Chris M

    The pihole is actually now in both. Based on the first reply, I added a second NIC to the pihole VM so could configure the wireless VLAN to have it for primary DNS on the wireless scope - working like a charm so far. I did try again to configure the wired VLAN (same one the internal IP of the FWG is on) and stuff went weird.

    Is there some sort of conflict with Firewalla where if that VLAN is using internal to to pihole, which then upstreams to the internal Windows DNS, and then goes out to the internet, and Firewalla then maybe intercepts it on UDP/53...does it then do like a DNS loop..?

    0
    Comment actions Permalink
  • Avatar
    Support

    Do you mean the upstream DNS server of the pihole in wired VLAN is another host in the same VLAN? If yes, you may need to disable DNS booster on that internal upstream DNS Windows host. You can disable DNS booster in the app in "Advanced" -> "Configurations" -> DNS Booster. Otherwise, the DNS from that windows DNS server will be forwarded to the pihoe again, causing a DNS loop.

    0
    Comment actions Permalink
  • Avatar
    Chris M

    Ah, that fixed it. I couldn't remember where to find the DNS booster settings per-device. It would be nice to have a 'search' feature for the configuration settings.

    The article I remember seeing about the DNS loop was the one written for installing pihole on the FWG itself, in the comment thread. You'd responded similarly.

    Thanks for your help with the DNS - as far as the search domain - anyway to add add the second level domain in addition to the TLD (i.e., example.com instead of just .com or .example), or more than one search domain?

    0
    Comment actions Permalink
  • Avatar
    Support

    @Chris It is possible on the backend, but somehow the app does not apply it. It will be fixed on the app side for sure.

    0
    Comment actions Permalink
  • Avatar
    Chris M

    I noticed in the latest beta version of the iOS app, I can update it via the app - so that's all good and working - but it doesn't seem to stick. It'll save out and all, but revert back to lan after a while.

    0
    Comment actions Permalink
  • Avatar
    Support Team

    It's a bug of the box version 1.970, should have been fixed in 1.971 already. The change should have taken effect, just display issue.

    0
    Comment actions Permalink
  • Avatar
    Tom

    What is best practice for FWG and LAN DNS, with the default config clients use 192.168.1.254 but I see very slow / poor resolution - is this the FWG server or the WAN connection DNS servers that perhaps FWG is using ?

    If I set the FWG LAN to issues 1.1.1.1 and 8.8.8.8 it's much better but am I bypassing a problem, will break something else (FWG rules etc.) ?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Tom

    If you are encountering issues on the LAN side, you need to check what DNS you setup on the WAN side. 

    For example, if 192.168.1.254 is FWG, then the DNS request will go to FWG, and then forwarded to your WAN DNS. 

    If you set 1.1.1.1 on the LAN segment, then DNS request will still go to FWG, and then forwarded to 1.1.1.1

     

    0
    Comment actions Permalink
  • Avatar
    Tom

    Correct the clients were using the FWG LAN IP for DNS, so I suspect the upstream DNS on the WAN port was the issue.    Is there an effective way for me to prove that next time, i.e. SSH to the FWG and test DNS that way ?

    Changing FWG LAN to use 1.1.1.1 / 8.8.8.8 made a massive difference, so no harm leaving it like that - this will then override the WAN port DNS servers (DHCP from the ISP) ?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Yes, if you change the LAN segment DNS, it will bypass WAN settings (likely from your ISP). If you do have issues, you should also change the WAN settings to 1.1.1.1/8.8.8.8, it will make the box more stable.

    We usually don't ask people to mess with the WAN DNS, but in case you have issues, best to change. (not all ISP's DNS are the same ... but in general the popular ones are more stable, and the ISP ones likely a ms or two faster

    0
    Comment actions Permalink

Please sign in to leave a comment.