Completely confused by DNS failure (dnsmasq)

SteveITS

@NickJH The "Enable Forwarding Mode" forwards anything that isn't a host or domain override.

@NickJH said in Completely confused by DNS failure (dnsmasq):

can I bulk load hosts into pfSense?

I don't think so but you can put it in the config file and then restore just the DNS Resolver config.

@johnpoz "The [upstream] firewall itself has host file entries for machines like Sia2 "

johnpoz

@SteveITS said in Completely confused by DNS failure (dnsmasq):

@johnpoz "The [upstream] firewall itself has host file entries for machines like Sia2 "

It didn't send them, unless you edited the response.

edit: oh I see you did some more posts... Pretty sure sure dnsmasq also does rebind protection.. When you forward a rfc1918 response is not going to be returned to the client.. Unless you have turned off rebind or have setup a domain to be private and allowed to return rfc1918

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

SteveITS

@johnpoz said in Completely confused by DNS failure (dnsmasq):

When you forward a rfc1918 response is not going to be returned to the client

Ah yes there it is.

NickJH

Yes, it could be rebind protection as I expect it to return a private IP (172.17.2.51). It is late here so I'll have a look in the morning.

NickJH

I can confirm it was rebind protection causing it. I have disabled it and am using the the DNS Resolver successfully in forwarder mode. Thanks.

johnpoz

@NickJH dig you disable it globally? I would suggest just setting your domain your forwarding for and want rfc1918 vs turning it completely off.

NickJH

@johnpoz Yes I did it globally. I don't know how to do it by domain only, but it does not matter as pfSense is on my LAN for testing/learning. When I deploy it properly, I'll be turning it back on. It is just that it was interfering with my testing.

SteveITS

@NickJH for reference it’s on that doc page:

“To exclude a domain from DNS rebinding protection, use the Custom Options box in the DNS resolver settings. Enter one domain per line in the following format, preceded by the server: line.

server:
private-domain: "example.com"
private-domain: "dnsbl.example"
“

I just forget about this “feature” because it’s rarely needed, but we had to discover/use it ourselves 10 years ago.

johnpoz

@NickJH how to do that was right in the link I posted..

For both unbound and dnsmasq

I take it you didn't read past the "This behavior is controlled by the DNS Rebind Check option under System > Advanced, Admin Access tab." part ;)

NickJH

@johnpoz All I needed was a quick and dirty fix because it is not going to be the production set up. I did the fix late yesterday but it was about 10pm and if the quick and dirty was going to fix it, it was good enough for me. I only tested it this morning.