PfSense BIND and CNAME Quandry

Craash

I have a pfSense box that I'm going to migrate my LAN's primary DNS to.

The current master is a ubunitu 16.04LTS box.  It will become a secondary once the migration is complete.

So far I'm created a single zonefile on pfSense, manually.

kc.corp.

All A records resolve as one would expect.

What gets weird is CNAME records.

For example, I have a host named 'gateway' (FQDN gateway.kc.corp)

I created a A record for 'gateway' of 192.168.0.254. (which is the pfsense box)

I created a CNAME pointing of 'gw' pointing to gateway.kc.corp.

gateway (or FQDN) resolves fine from a workstation

gw fails on pfSense.

NSLookup does not return a value for it unless I set the q=cname.

C:\Users\Tech>ping gw
Ping request could not find host gw. Please check the name and try again.

C:\Users\Tech>nslookup
Default Server:  UnKnown
Address:  192.168.0.254 -> remember, this is the pfsense box.

gw
Server:  UnKnown
Address:  192.168.0.254

*** UnKnown can't find gw: Non-existent domain

set q=cname
gw
Server:  UnKnown
Address:  192.168.0.254

gw.kc.corp  canonical name = 6BH3S52
kc.corp    nameserver = 6BH3S52.kc.corp
kc.corp    nameserver = X7DWE.kc.corp
X7DWE.kc.corp      internet address = 192.168.0.1
6BH3S52.kc.corp    internet address = 192.168.0.254

Any ideas?

johnpoz

"Server:  UnKnown
Address:  192.168.0.254"

You don't even PTR for your own networks.. Ie server unknown.. I would fix the basics before moving on ;)

gw.kc.corp  canonical name = 6BH3S52

Huh???  WTF is that?  Post up you zone file and bind config if you have questions on bind.

Craash

I believe I've found my issue.

I think it all boils down to the $ORIGIN option.

In standard "master file format" files if you don't add the trailing '.' then the name is assumed to be relative to the current zone file's $ORIGIN (which is either specified in the zone file, or taken from the zone statement in named.conf otherwise).

My pfsense Bind installation is appending a "." after my CNAMEs (in the file, not the web interface).  The . makes the name be relative to the root, without it, it the name will be relative to the current zone. The standard zone format is defined in rfc1035 and rfc1034.

A workaround?  Use FQDN for the CNAME.

In the very possible senerio I'm missing something, here is my named.conf:

_**#Bind pfsense configuration
#Do not edit this file!!!

key "rndc-key" {
        algorithm hmac-md5;
        secret "U2pHDolr0KZStIQrFOVPTw==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};

options {
        directory "/etc/namedb";
        pid-file "/var/run/named/pid";
        statistics-file "/var/log/named.stats";
        max-cache-size 512M;
        listen-on-v6 { ::1;  };
        listen-on { 192.168.0.254; 127.0.0.1;  };
        notify yes;
        allow-query    { any; };^M
        empty-zones-enable  yes;
};

logging {
        channel custom {
                syslog daemon;
                print-time no;
                print-severity yes;
                print-category yes;
                severity dynamic;
                };
        category default { custom; };
};

acl "kc.corp" {
        192.168.0.0/24;
};

view "LAN" {
        recursion yes;
        match-clients { any; };
        allow-recursion { any; };

zone "kc.corp" {
                type master;
                file "/etc/namedb/master/LAN/kc.corp.DB";
                allow-query { any; };
                allow-transfer { kc.corp; };
                allow-update { kc.corp; };
        };

zone "0.168.192.in-addr.arpa" {
                type master;
                file "/etc/namedb/master/LAN/0.168.192.DB";
                allow-query { kc.corp; };
                allow-transfer { kc.corp; };
                allow-update { kc.corp; };
        };

zone "." {
                type hint;
                file "/etc/namedb/named.root";
        };

};**_

My kc.corp zone file: In it, notice the trailing periods after the CNAME value.  By placing kc.corp after the gw CNAME, it worked as expected.

_**$TTL 6h
;
; Database file kc.corp.DB for kc.corp zone.
; Do not edit this file!!!
; Zone version 2
;
kc.corp. IN  SOA 6BH3S52.kc.corp. zonemaster.kc.corp. (
2 ; serial
1d ; refresh
2h ; retry
4w ; expire
1h ; default_ttl
)

;
; Zone Records
;
@ IN NS 6BH3S52.kc.corp.
@ IN NS  X7DWE.kc.corp.
6BH3S52 IN A  192.168.0.254
gateway IN CNAME  6BH3S52.
gw IN CNAME  6BH3S52.kc.corp.
X7DWE IN A  192.168.0.1
SRXC606 IN A  192.168.0.69
me IN CNAME  SRXC606.
N5550 IN A  192.168.0.2
ns1 IN CNAME  6BH3S52.
ns2 IN CNAME  X7DWE.
NextCloud IN CNAME  X7DWE.
switch IN A  192.168.0.253
p1 IN A  192.168.0.22
p2 IN A  192.168.0.23
HS1 IN A  192.168.1.1
HS2 IN A  192.168.1.69
AP1 IN A  192.168.0.50
AP2 IN A  192.168.0.51
pfsense IN CNAME  6BH3S52.
VM-Sandbox IN A  192.168.0.110
ns3 IN CNAME  N5550.**_

I did try $ORIGIN kc.corp. in the zone custom options, but it threw and error on zone load of Unknown Option.