Walt Stoneburner's Ramblings

Currating Chaos

pfSense Host Overrides are Not Resolving

I use pfSense for a firewall, and more recently pfSense+ simply because that's what came on the new Netgate 5100.

pfSense also provides several DNS options: DNS Resolver (unbound), bind, and DNS Forwarder. I use the DNS Resolver.

One of the cool features is Host Overrides. This allows one to get pfSense to give back DNS responses that override the typical DNS response; that could be to block certain services, set up testing domains and hosts, or provide local DNS resolution for machines you don't want publically resolved.

For me, a few years ago this stopped working, and I sat on the problem until I had some significant time to dig into it. The full details are on Netgate's forum. This is worth the read if you are facing similar problems and wish to troubleshoot.

The symptoms were that dig and nslookup commands were working just fine for external hosts, but when I tried to look up any of my Host Overrides, I didn't get back an answer (instead, I got missing host or missing domain).

I had a Transparent Zone Type, DNSSEC enabled, and Forwarding Mode enabled (and being disabled didn't help either). Turns out, none of this mattered. Tests with the DNS Resolution Behavior to even ignore remote DNS servers didn't change the symptoms. Nothing on pfSense seemed to explain it, not ACLs, not other resolvers, not pfblocker, not other packages.

Even weirder was if I used ssh to get onto the pfSense box itself, doing the same DNS lookups there caused it to properly honor the Host Overrides. It was acting as if pfSense was ignoring Host Overrides for downstream devices. Acting, it turns out, was the key word.

The solution started to sort itself out when using pfSense's Diagnostic / Packet Capture against port 53. When I'd do digs against my Host Overrides, I'd see no traffic! When I'd do a dig against google, I'd see a response ...but not for google!

Something was performing DNS Over HTTPS. Several somethings, actually. Firewalla Gold was configured to do it, as were my browser settings; all for security reasons.

When DNS Over HTTPS is turned on, the DNS request is forward via HTTPS outside the network, where it's resolve externally — and not at pfSense's DNS Resolver, hence why the Host Override wasn't working and why there was no port traffic to pfSense's DNS.

The Solution was to simply turn off DNS Over HTTPS, and suddenly the DNS requests went to pfSense's Resolver, which happily answered the Host Overrides, and all was well.

The better approach appears to be DNS Over TLS and to let pfSense do it, not an upstream device.