pfsense DNS Host Overrides

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from launch systems i want to talk about solving a problem a lot of people seem to run into when they are self-hosting servers and what happens in pfsense is you build a server internally in your network and then you go through and set up a let's encrypt for example a certificate and a fully qualified domain name and you get it facing the world so now you're hosting it except when you try to access it internally there's a couple different ways to do this one of them is setting up proper net reflection so that when you hit the public i p address internally it reflects back in and goes to the server another way in the way i prefer to do it is through host overrides couple prerequisites that you are using pfsense as your dns server if you are using something like active directory you'll have to make those same dns changes in active directory in the dns server that you have active directory using the windows one essentially this is specifically for helping people who are using psense want to know how to do a host override so their fully qualified domain works properly internally and externally now this does work with either a server that is independent that you built yourself whether it be a single host or a multi-host server or if you're using ha proxy wherever that ip address is is where you'll have to point it to in the case of h a proxy on pfsense which i've done videos on that would be the pf sense address in the example we're going to use today uh it's a standalone server that we have now what we've actually done is take lawrences.com and tunnel it to be an internal server so bear with me here for this example but essentially you'll see that we have an ip address of 192 168 3.9 internally and that ip address is going to represent lawrences.com and yes i actually have it tunneled so lordsystems.com does respond on that ip address when we're going to put the host override in and before we get there though i want to start with the dns resolver documentation there are many more features in dns resolver than we'll be covering today we're specifically going to be talking about the host overrides but yes there is a lot more you can do with it i will leave a link to the documentation which is really easy to find because you just go over here and can click the little question mark which brings you the documentation all right now the host override section right now is empty so before we do anything let's uh look up where lawrences.com lives dig 192.1688.1 that's the ip address we have here for rpf sense we're behind it with this laptop that i'm on so lawrences.com dig and it resolves to the proper public ip address and if we are not inside this network that would be great but as i said for this demonstration we're assuming lawrences.com actually lives internally at 192.168.3.9 so when we do the dig our goal is to resolve it to that address and now let's cover something really quick this is openssl and this is where some of the troubles sometimes come in once you're dealing with certificates certificates have to have the name the server name sent by your browser matching the certificate that responds it actually isn't tied to ip addresses specifically is tied to the server name sent and the certificate offered this is actually how it works as well when you have a website serving up multiple different websites on one single ip address it uses the server name to determine what site you're going to get or what certificate you're going to get and hopefully you are using a certificate and everything should be done securely um it's a little bit simpler obviously if you're not same rules apply for the host override but you don't have to worry about the tls part of it what we're going to do here is open ssl client we're sending the server nameless systems.com to host 192.168.3.943 and it's just an example to show you that it pulls the right certificate so we go here and it does return cn equals lawrences.com and uh there's our let's encrypt cn equals three now just so you know if we put something different and we'll put like not orangesystems.com it will not return the proper name this is what happens essentially when you go to the website and put in something like uh we'll open up firefox for this because that way nothing's cached https192 and we get a certificate error because it's not sending a certificate that matches the server name server name we sent was 192.1683.9 and it's not the expected certificate so we end up with a certificate mismatch and that error that people are used to seeing let's go ahead and create an entry so the host we leave blank domain is lawrences.com ip address 192.168.3.9 description lts host over ride and then we also want to go ahead and we're going to do www as well and hit save and then apply so now lawrences.com equals 168 3.9 and www.lawrence6systems.com is 192.1683.9 let's go ahead and test so we go here and we do the dig at 192 1688.1 which is our local ip address of pfsense hey look it responds with that let's put a www in front of it also responds like that what if we did an external address 9.9.9. so if we hit quad 9 it gives the proper answer of 143 198 etc so now if you're outside of your own network and not using pf sense for dns resolution no problem it's going to resolve properly but internally it's going to override and put you at the local server's address which is that 3.9 so let's actually go there now alright do a refresh and then open up the web console down here and you can see the remote ip where there's a lot going on here my website has a lot of things on it but you see where laurentsystems.com is being served from 192.168.3.9 down here at the bottom and that's it now i did have to uh pause a minute and refresh a couple times because it takes a little while because firefox wanted to cache the old ip address you may run into that you may have to reboot some hosts some of them will hold on to despite pf sense having a new dns entry if they've looked the site up before you may not see it immediately that's one of the reasons i was looking to see which remote ip it was pulling up down here to make sure it was pulling up the right one and that the demo was working as expected it's really that simple to do these host overrides and override any site that you want to equal that now i mentioned multi-site hosting and for example if you had a server that supplies multiple sites based on the server name you could use the same ip address for return with different domain entries so lawrences.com resolves as 192.1683.9 but you could also have some other website dot com resolve as that as well so it's just as many host entries as you want and of course you can add extra aliases underneath in case you have some other ones that also resolve there because well it works the same way with sub domains as well generally speaking you just need the two for a fully qualified domain name and yes this will work if you have like mydomain.dynamicdns or whatever you may be using if you're not using a fully qualified domain name that you own but something like a dynamic dns type of service it does work with that as well i'll leave a link over to the documentation from pfsense on this it's a really simple thing to do but it will solve you a lot of headaches just to throw that host override in there and override it so it points at the local server as opposed to the public one and this will solve all those little bugs that seem to come up and this is a popular topic in my forum and a popular support topic that just comes up in general i find all right thanks and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you'd like to see more content from this channel hit the subscribe button and the bell icon to hire a shared project head over to lawrences.com and click on the hires button right at the top to help this channel out in other ways there is a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos you

Info

Channel: Lawrence Systems

Views: 16,013

Rating: 4.9828815 out of 5

Keywords: lawrencesystems, pfsense host override, pfsense host override not working, pfsense, tutorial, firewall, pfsense setup, network, pfsense (software), pfsense router, pfsense dns, pfsense dns resolver, pfsense dns server, pfsense dns setup, pfsense dns redirect

Id: tHfAWY_jYbQ

Channel Id: undefined

Length: 9min 30sec (570 seconds)

Published: Fri Mar 05 2021