[solved] Domain Overrides only working towards one pfSense
-
I have 3 sites with pfSense's, one is home (site1). I have created Domain Overrides between site 1 & 2 and vice versa, works fine. Now I did the same between 1 & 3 but it is only working towards 1, not the other way around. The settings are the same. Site 3 is a clone (vm) of site 2. I changed the IP-addresses and over ip everything is working, just the Domain Override towards site 3 is not.
PS C:\Users\Bobby> nslookup pfsense.1blu2.XYZ.de Server: pfSense.aps1.XYZ.de Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. *** pfSense.aps1.XYZ.de can't find pfsense.1blu2.XYZ.de: Server failed PS C:\Users\Bobby>PS C:\Users\Bobby> nslookup pfsense.1blu1.XYZ.de Server: pfSense.aps1.XYZ.de Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. Non-authoritative answer: Name: pfsense.1blu1.XYZ.de Address: 10.3.9.1 PS C:\Users\Bobby>Maybe @johnpoz has an idea?
-
@Bob-Dig And this pfSense can connect to those other servers?
Just double checking, you aren’t looking for a host override are you?
-
@SteveITS said in Domain Overrides only working towards one pfSense:
And this pfSense can connect to those other servers?
Like I said, everything works except the domain override towards *.1blu2.XYZ.de
Just double checking, you aren’t looking for a host override are you?
No, the two other sites are each almost identical Proxmox VE on VPS, with pfSense as the Firewall for the VMs there.
-
@Bob-Dig said in Domain Overrides only working towards one pfSense:
Maybe @johnpoz has an idea?
when you do a forward, be it just normal forwarding or with a domain override the domain your looking for you need to make sure you set the domain as private, or it would be a rebind. Or even if you normal resolve - if some other server was asked for some fqdn, and the answer is rfc1918 its a rebind. It is only not a rebind if the resource that is being asked of the unbound is a local resource.
Asking another server that returns rfc1918 for an address would be a rebind.
Also when asking some other unbound from a source IP, the IP needs to be in the ACL of unbound. And if your asking coming in from wan. The rfc1918 rule that defaults to being on wan would have to be disabled.
These 10.3.9.x IPs - where are they exactly - what interface are you talking them on? Does this pfsense have a leg in the 10.3.9 network?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in Domain Overrides only working towards one pfSense:
Does this pfsense have a leg in the 10.3.9 network?
It (home) does have in both of these pfSenses.
I noticed that the server certificate has the same name on both (because one was a clone of the other) but it shouldn't matter for DNS on port 53, probably that doesn't matter at all.
-
@johnpoz said in Domain Overrides only working towards one pfSense:
when you do a forward, be it just normal forwarding or with a domain override the domain your looking for you need to make sure you set the domain as private, or it would be a rebind. Or even if you normal resolve - if some other server was asked for some fqdn, and the answer is rfc1918 its a rebind. It is only not a rebind if the resource that is being asked of the unbound is a local resource.
Asking another server that returns rfc1918 for an address would be a rebind.
Also when asking some other unbound from a source IP, the IP needs to be in the ACL of unbound. And if your asking coming in from wan. The rfc1918 rule that defaults to being on wan would have to be disabled.
I don't know how to set a domain to private but it is working for Site 2 and not Site 3. All Sites are a pfSense and all got their domain name set in
"general setup". And I try to connect to those pfSenses, so they are local to themselves. The IPs are in the ACL of unbound because of that leg thingy. Everything is allowed on those tunnels towards each other, WAN is not used.
It makes no sense that it is not working for (towards) site 3 -
In hindsight obvious but I had limited the Outgoing Network Interfaces for the resolver and the interface to Site 2 wasn't in it.
-
@Bob-Dig said in [solved] Domain Overrides only working towards one pfSense:
I don't know how to set a domain to private but it is working for Site 2 and not Site 3
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-resolver
edit: it seems these are now set automatically in unbound when you create a domain override. Not exactly sure when that might of changed? I don't believe its always been like that.. But it a good setting to keep users from shooting themselves in the foot.
You can view unbound conf here
[23.05.1-RELEASE][admin@sg4860.local.lan]/: cat /var/unbound/unbound.conf
-
@johnpoz I did and I noticed it was already set, ty.
