pfSense Domain Overrides explained

Welcome back, fellow Open Source firewall enthusiasts! Many of you asked me to give you a short introduction into Domain Overrides. That’s exactly what I’m going to try with this article, plus, I will tell you what Host Overrides are.

 

What are Domain Overrides

To put it in one sentence, Domain Overrides are used to configure specific DNS Servers for particular domains. For an example, let’s assume the following setup.

  • pfSense: 192.168.1.1 – DNS Server for your local network
  • Windows Server 2016: 172.16.0.10  // AD Domain: mycompany.com

Now you want to forward every request that goes to mycompany.com to the IP of your Windows AD Server: 172.16.0.10. If you would run this setup without a Domain Override and you want to lookup a hostname residing in the domain like server.mycompany.com, you would get a Host server.mycompany.com not found: 3 (NXDOMAIN).

I’ll demonstrate it with an example of one of my own servers.

nslookup– without Domain Override

pfSense Domain Override
Nslookup result without Domain Override

 

 nslookup– with Domain Override

pfSense Domain Override
Nslookup with Domain Override

 

As you can see, after setting the Domain Override pfSense forwards the request to the Domain Name Server. So how to set up a Domain Override?

 

Setting up Domain Overrides

It’s child’s play. Simply navigate to Services / DNS Resolver, scroll all the way to the bottom and click on +Add underneath of Domain Overrides. Now you got to enter your Domain Name and the IP Address of your Domain Controller or DNS Server you want to forward your queries to. Click on Save and Apply Changes.

pfSense Domain Override
Creating a Domain Override

 

If you did everything correctly, you can verify your settings.

pfSense Domain Override
Verifying the settings

 

And that’s all there is to it, easy, right?

Now, while we are at it, let’s also cover Host Overrides, you have probably seen the option right above Domain Overrides already.

 

Host Overrides

Host Overrides are used to configure how a specific hostname is resolved by pfSense’s DNS Resolver. One use-case would be split DNS, so you can resolve your Public DNS hostnames to private IP Addresses, so you can eliminate the need for NAT reflection.

Let’s assume we have a website hosted on another local network with the Subnet of 172.16.0.0/24. The website address is www.ourcompany.com and resolves to 172.16.0.200. Without NAT reflection, clients in our local 192.168.1.0/24 Subnet will not be able to reach the website. So what we need to do is, we need to create a host override on our local 192.168.1.0/24 Subnet for www.ourcompany.com pointing to it’s IP Address of 172.16.0.200.

Let’s visualize it to understand it better.

Navigate to Services / DNS Resolver and scroll down to the bottom. Underneath of Host Overrides, click on +Add.

pfSense Host Overrides
Creating a Host Override

That’s it.

 

Wrapping up

Once you wrapped your head around it, it’s pretty straightforward and easy to understand. Domain and Host Overrides are a useful tool within pfSense, especially if you run your firewall in a corporate environment. Are you using Domain and Host Overrides? Let me know in the comment section below.

2
Leave a Reply

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Jordan
Guest
Jordan

When I use Host Override, it blocks facebook and youtube forever?
How can I undo a Host Override? I deleted rules and overrides already but the sites are still blocked.

Joe Kingston
Guest

Hello so if I’m using my own internal active directory DNS I have to use the Domain Override?

%d bloggers like this: