pfSense DNS Resolution for DHCP Leases

Name resolution makes life easier for everything so today I’ll show you how I’ve setup my pfSense device to perform DNS resolution on devices registered via pfSense DHCP.

 

pfSense General Setup – Domain

In this example I’m going to use the default domain name configured with pfSense. Obviously this should be tweaked for your specific needs but if you are running this at home then localdomain is fine. My home lab actually has it’s own Active Directory DNS servers and I configure pfSense to forward any requests for that lab domain to those DNS servers.

pfSense General Setup

 

pfSense DHCP Server Domain Name Configuration

Having picked our domain name we need to check that the DHCP server in pfSense is configuring said name when issuing an address lease. Browsing to the ‘Services’ menu and then selecting ‘DHCP Server’ we need to scroll down to the ‘Other Options’ section. By default pfSense will use the name defined under the system setting we checked earlier. If you want to configure an alternate name for a specific DHCP range (e.g on a different subnet) you can do so here. If like me you prefer to see the option that is being used when scrolling through a config then add the domain here implicitly.

Services DHCP Server

Other Options Domain Name

 

pfSense DNS Resolver Settings

Now we can configure the pfSense DNS resolver settings to register DHCP leases in DNS to allow for easy name resolution. Browse to the ‘Services’ menu and select ‘DNS Resolver’.

Services DNS Resolver

 

Scroll down and select to register DHCP leases and if you are using static DHCP mappings, register those as well.

DHCP Registration and Static DHCP Registration in DNS Resolver

 

Testing Name Resolution

From my PC I now run a name resolution check to see if a Raspberry Pi I have configured on my network for dynamic DHCP has registered in DNS correctly and can be resolved. I also test to see if my Playstation 4 is resolved – it has a static registration so I’m showing that both dynamic and static entries are registering, just as we configured.

nslookup

 


 

The pfSense DHCP and DNS settings provide you with a huge range of options, certainly more than I have shown in this post, hopefully if you are looking to do something similar this post will assist you.

11 thoughts on “pfSense DNS Resolution for DHCP Leases”

  1. Oh… My… God… You saved my life… I was pulling my hair trying to figure this out. I Googled on several forums for people asking similar questions and many pfSense zealots were answering RTFM or answering in a patronizing way…

    I believe pfSense is victim of its great versatility. Since you can configure and have it do just about anything, the common use cases are spread across several screens which have several fields with terms that are not evident for people unfamiliar with configuring firewall related stuff. I strongly believe that pfSense would benefit from at least having wizards to do the basic stuff, and at the end of the wizard, it could provide hyperlinks to all related screens if the user wants to fine tune all the plumbings that was done by the wizard. Some could argue that the screens are tailored for professionals working in business. I would argue that you’re a beginner before becoming a professional and thus such wizards could help people ramp up more quickly, thus pfSense could get wider adoption.

    Anyway, thanks again!

    Reply
    • So glad I could help, it is a challenge getting the information you need at times. That is what lead me to start blogging in the hope I can help others every now and then.

      Reply
  2. This works when using the CLI, but it doesn’t work when using browsers (Safari, Firefox, Chrome on Mac; Firefox, Chrome on Windows). Not sure what magic needs to happen to make shortnames work when typing them into the browsers’ address bar. Guessing some search function overrides local dns lookups.

    Any ideas?

    Thanks for the post and comments. Great stuff in here.

    //Shawn

    Reply
    • Hey Shawn,

      Thanks for the kind comment and I’m sure we can get this working for you. My first guess is that your network interface doesn’t have an entry/entries for the domain suffix to use when a short name is provided. The suffix list lets the machine know what domains to append to any short name when attempting name resolution. If I run the command ipconfig and review the results for the relevant interface (I have a bunch of them) I can see that one of the entries is ‘Connection-specific DNS Suffix : localdomain’ – when I ping the short names my machine makes the assumption that I meant to add that suffix to the end. You can also check this using PowerShell –

      PS C:\> (Get-DNSClient).Suffix
      localdomain

      As a test you could use PowerShell to set the suffix to your desired entry and then test again. You could also set this in the GUI for the adaptor if you are more familiar with that or have set a static IP.

      With PowerShell the command would be similar to the below –

      PS C:\> Set-DnsClient -ConnectionSpecificSuffix localdomain -InterfaceAlias Ethernet

      Obviously you can swap the suffix and interface alias for the correct ones on your machine. You’ll likely need to run the shell as administrator for it to make the change. Additionally if you’re using pfSense as a DHCP server make sure the right suffix is listed and that way machines will receive it automatically. Let me know how you get on with that and if you need any other suggestions – hopefully this resolves it for you but if not comment back here.

      Alex

      Reply
  3. Hi Alex,

    I’ve spent DAYS trying to make this happen! Your post briefly gave me hope.
    Example is my Unifi Cloud-Key with pfSense static DHCP reservation 10.39.10.209
    Resolver has both Register boxes checked.

    After reading your post:
    DHCP now has explicit Gateway/Domain (even though these are the defaults)

    Tried adding private.lan to domain search list
    No change

    chris@machine:~$ arp -a
    unifi.private.lan (10.39.10.209) at 18:e8:ab:cd:ef:12 [ether] on enp0s25
    _gateway (10.39.10.1) at 00:08:a1:23:45:67 [ether] on enp0s25

    chris@machine:~$ ping unifi
    ping: unifi: Name or service not known

    chris@machine:~$ nslookup unifi
    Server: 127.0.0.53
    Address: 127.0.0.53#53

    ** server can’t find unifi: SERVFAIL

    FQDN works just fine:
    chris@machine:~$ nslookup unifi.private.lan
    Server: 127.0.0.53
    Address: 127.0.0.53#53

    Non-authoritative answer:
    Name: unifi.private.lan
    Address: 10.39.10.209

    Config is as simple as it can get: Ubuntu laptop, Cloud-Key, FlexHD AP plugged into LAN1, 2, 3 of SG3100 802.1q switch ports providing untagged Management_VLAN 10.39.10.0/24. WAN parasites off another firewall for this test rig (so double-NAT) but this shouldn’t affect anything in local name resolution. NAT rule forwards lan port 53 traffic to 127.0.0.1

    What other magic dust have you got in your setup that makes it work — AD of course.
    Can name (not FQDN) resolution work without AD?

    Chris

    Reply
  4. Hi Alex

    My question didn’t make it to your site (yet???).
    In case it does make it later (after moderation or whatever), PROBLEM SOLVED.

    Issue was that my Ubuntu laptop did not know it was in private.lan domain.
    Moving laptop from manually typed fixed IP to reserved static IP in pfSense DHCP server fixed it.

    Thanks for your nicely written article …and for forcing me to think.
    Chris

    Reply
    • Hi Chris,

      A while back I changed comments on here to be approved only as even with the spam filtering, stuff was still getting through. I was going to ask whether you’ve configured the DNS suffix/dns-search option for the interface/box. Now that you’re getting an address from pfSense it is going to update that for you but if you were statically assigning you’d need to set it yourself.

      I’m glad you got to the bottom of it, always nice to know the stuff I write has been helpful in some way.

      Alex

      Reply
  5. You mentioned at the beginning you forward this to your DNS servers on Windows. Can you explain how you do that step?

    Reply

Leave a Reply to ChrisCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.