# [pfSense] DNS problems after disabling DNS-forwarder in pfSense



## jontheil (May 28, 2013)

Hi list,

For quite a long time, I have been using pfSense as a router/firewall/gateway for regulation of traffic between the LAN and WAN side.
PF was configured with some simple rules (mostly NAT-rules), and the software was set up with "DNS forwarding" (dnsmasq) with a static IP on the WAN side and definition of the ISP's name servers.

The ISP seemed to think that we were running our own name server and that it was hijacked. After turning DNS forwarding off, everything was apparently fine.

The problem is with the server. Even though the /etc/hosts file and the /etc/resolve.conf are configured correct, some services on the server behind the firewall have issues. The most annoying is that I cannot figure out how to configure postgresql correctly. It takes a very long time to start it, and even if `/usr/local/etc/rc.d/postresql status` claims that it is running, I cannot connect through clients. Updating the ports tree with `portsnap fetch` takes much longer time than usual. Of course I can provide a lot of information output from `tcpdump` etc. But I need to know what to look for.

Any help will be appreciated!

Regards,
Jon


----------



## throAU (May 29, 2013)

Not a pfSense user..

My first thought is that DNS replies can be either UDP or TCP, are you allowing port 53 back on *both* protocols, or is pfSense set up to do this via protocol inspection/state?


----------



## SirDice (May 29, 2013)

Obligatory warning: [thread=7290]PC-BSD, DesktopBSD, FreeNAS, NAS4Free, m0N0WALL, *pfSense*, ArchBSD, kFreeBSD topics[/thread]


----------



## jontheil (May 29, 2013)

@throAU: Thanks for your input. I will have a look at the pf rules (in pfSense, sorry).

After I did, I found an old NAT rule pointing to the old server. Furthermore, the rule did not allow for UDP traffic. I changed this to open for all traffic (TCP and UDP) on port 53 coming from the ISP's two name servers. I restarted the server to be sure, that all routes were up-to-date. I can see a lot of packages going to and from the name servers.

portsnap is still quite slow, postgresql still does not work properly, the same goes for the LDAP server/client. 

@SirDice: I am not sure, whether the issue is with pfSense or my server configuration. As far as I can see, workstations using DHCP (in my case Windows) do not have any problems. The server does not use DHCP and is dependent on correct configuration. Several server applications running FreeBSD seem to have lookup issues.

I have tried to search the pfSense forum without finding any useful answers. But I guess *I* might have to ask the same question there.

Regards,
Jon


----------



## jontheil (May 31, 2013)

Hi again,

This has been much more complicated than I ever thought it would be. 

I found out that the firewall rules were much to loose. And that it could be used as an open DNS resolver. I had to turn that behaviour off by disabling the DNS resolver (dnsmasq) while I was looking for solutions.

Therefore, I had to change some settings in /etc/rc.conf, /etc/hosts and /etc/resolv.conf.

After cleaning up in the firewall rules (no open ports on the wan side except for NAT-rules required to run public service on the server), I tested if the issue with the open resolver was fixed (I used http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl), I turned dnsmasq back on permanently.

Everything on the network seem to work fine now. Except for the server. I went through all the network related settings and found out, that I should put the address of the firewall on top of the list of name servers in /etc/resolv.conf. After that all the network services on the server were running as they should. 

Regards and thanks for the help,
Jon


----------

