pfSense DNS Automation

Automated management of pfSense DNS Resolver host overrides using the netapi CLI tool.

Prerequisites

pfSense with REST API v2 package installed (pfSense-pkg-API)
API key created in pfSense (System > API > Settings)
Credentials stored in dsec: PFSENSE_IP, PFSENSE_API_SECRET

Quick Reference

# Load secrets
eval "$(dsec source d000 dev/network)"

# List DNS host overrides
netapi pfsense dns list

# Add host override
netapi pfsense dns add --host nas-01 --domain inside.domusdigitalis.dev --ip 10.50.1.70 --descr "Synology NAS"

# Update existing override
netapi pfsense dns update --id 8 --host nas-01 --domain inside.domusdigitalis.dev --ip 10.50.1.70

# Delete override
netapi pfsense dns delete --id 5

# Apply changes without add/update/delete
netapi pfsense dns apply

Current DNS Host Overrides

ID	Host	Domain	IP	Description
0	9800-wlc-01	inside.domusdigitalis.dev	10.50.1.40	Cisco 9800 WLC
2	certmgr-01	inside.domusdigitalis.dev	10.50.1.60	Let’s Encrypt cert manager
3	gitea-01	inside.domusdigitalis.dev	10.50.1.70	Gitea on NAS
4	guest	domusdigitalis.dev	10.50.1.21	ISE Guest Portal
5	home-dc01	inside.domusdigitalis.dev	10.50.1.50	Windows Domain Controller
6	ipmi-01	inside.domusdigitalis.dev	10.50.1.200	KVM Host IPMI/BMC
7	ipsk-mgr-01	inside.domusdigitalis.dev	10.50.1.30	iPSK Manager primary
8	ipsk-mgr-02	inside.domusdigitalis.dev	10.50.1.31	iPSK Manager secondary
9	ise-01	inside.domusdigitalis.dev	10.50.1.20	Cisco ISE primary
10	ise-02	inside.domusdigitalis.dev	10.50.1.21	Cisco ISE secondary
11	keycloak-01	inside.domusdigitalis.dev	10.50.1.80	Keycloak IdP
12	kvm-01	inside.domusdigitalis.dev	10.50.1.99	KVM Hypervisor Host
14	nas-01	inside.domusdigitalis.dev	10.50.1.70	Synology NAS
15	nas-02	inside.domusdigitalis.dev	10.50.1.71	Synology NAS secondary
21	pfsense-01	inside.domusdigitalis.dev	10.50.1.1	pfSense firewall
22	sponsor	domusdigitalis.dev	10.50.1.21	ISE Sponsor Portal

Domain Naming Convention

Type Pattern Example

Type	Pattern	Example
External (guest-facing)	`<service>.domusdigitalis.dev`	`guest.domusdigitalis.dev`
Internal (management)	`<service>-<##>.inside.domusdigitalis.dev`	`ise-01.inside.domusdigitalis.dev`

External (guest-facing)

<service>.domusdigitalis.dev

guest.domusdigitalis.dev

Internal (management)

<service>-<##>.inside.domusdigitalis.dev

ise-01.inside.domusdigitalis.dev

Credential Setup

pfSense API v2 Setup

Install pfSense API package:
- System > Package Manager > Available Packages
- Search "API" > Install pfSense-pkg-API
Create API key:
- System > API > Settings
- Authentication Mode: Local Database
- Click "Generate" for API Secret
- Save the secret

Store credentials in dsec:

dsec edit d000 dev/network
# Add:
# PFSENSE_IP=10.50.1.1
# PFSENSE_API_SECRET=YOUR_API_SECRET