Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    disabling DNSSEC stops local hostname resolution?

    Scheduled Pinned Locked Moved DHCP and DNS
    14 Posts 4 Posters 890 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JonSmizza
      last edited by

      Hi guys, got a weird-one here.

      I run pfSense CE 2.7.2 on an old Zotac box.

      hardware

      I decided it's time to start using DNS-over-TLS, and followed the instructions here: https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html

      Works great. AFAICT. I was still trying to confirm it when I noticed a new problem.

      An 'nslookup' on my client workstation (Debian 12.5) returns an NXDOMAIN error for any of my LAN hostnames. External domains work fine.

      Reverted the changes I made as per that recipe, but couldn't get LAN hostname resolution working again. I eventually gave-up and restored a pfSense settings backup and rebooted. Everything working again, except for DoT as-expected.

      So, I began working through the recipe again, and noticed LAN hostnames stopped resolving after disabling Services > DNS Resolver > DNSSEC > Uncheck "Enable DNSSEC support" (and saving that setting).

      I've been able to limit the backup restore area to 'DNS Resolver' only to return to a working state.

      Presently, I have actual hostnames entered for my DNS Servers, and the 'DNS Resolution Behavior' is set to "Use local DNS (127.0.0.1), ignore remote DNS Servers" (as per the recipe):

      config

      Any ideas please? Why are my LAN hostnames not resolving after disabling DNSSEC?

      Cheers. :)

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @JonSmizza
        last edited by

        @JonSmizza
        I circumvent this by stating the local domain as domain-insecure in the Resolver custom options:

        server:
        domain-insecure: "<local-domain>."
        
        J 1 Reply Last reply Reply Quote 1
        • J
          JonSmizza @viragomann
          last edited by JonSmizza

          @viragomann Thank you for that great idea. 👍

          I'm not sure of the exact syntax required, so I tried a few variations:

          server:
          domain-insecure: "internal."
          
          server:
          domain-insecure: "internal"
          
          server:
          domain-insecure: "<local-domain>."
          

          In all cases, after clicking "save", then "apply changes", I get the same error as before when performing a lookup (I haven't disabled DNSSEC at this point):

          $ nslookup talia
          Server:         10.0.0.1
          Address:        10.0.0.1#53
          
          ** server can't find talia: NXDOMAIN
          

          I then need to restore the config for the DNS Resolver and restart the DNS Resolver service to get this working again:

          $ nslookup talia
          Server:         10.0.0.1
          Address:        10.0.0.1#53
          
          Name:   talia.internal
          Address: 10.0.0.2
          
          $ nslookup z.com
          Server:         10.0.0.1
          Address:        10.0.0.1#53
          
          Non-authoritative answer:
          Name:   z.com
          Address: 150.95.46.7
          

          Maybe my settings for DNS Resolver are getting scrambled or something?

          V 1 Reply Last reply Reply Quote 0
          • J
            JonSmizza
            last edited by

            Another data-point.

            While the resolver is in a working state, I experimented by making a rather harmless change to its config: I ticked the Enable Python Module tickbox, save, apply changes.

            alt text

            Issue reappears:

            ** server can't find talia: NXDOMAIN
            

            There's something off with the settings...

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @JonSmizza
              last edited by

              @JonSmizza said in disabling DNSSEC stops local hostname resolution?:

              I'm not sure of the exact syntax required, so I tried a few variations:

              server:
              domain-insecure: "internal."

              server:
              domain-insecure: "internal"

              server:
              domain-insecure: "<local-domain>."

              You have to state your exact local domain with a dot at the right.
              Ensure that this domain is stated in pfSense in the general setting and also your machines are within this domain.

              J 2 Replies Last reply Reply Quote 1
              • J
                JonSmizza @viragomann
                last edited by JonSmizza

                @viragomann said in disabling DNSSEC stops local hostname resolution?:

                You have to state your exact local domain with a dot at the right.
                Ensure that this domain is stated in pfSense in the general setting and also your machines are within this domain.

                Thank you, we should be OK there:

                alt text

                However, I'm stuck with the issue as per my previous post where is seems changing any setting in DNS Resolver results in non-working local resolution.

                1 Reply Last reply Reply Quote 0
                • J
                  JonSmizza @viragomann
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • J
                    JonSmizza
                    last edited by JonSmizza

                    Think I've narrowed this down a bit more.

                    I located the config file /conf/config.xml and saved it before and after making changes to unbound via the pfSense UI.

                    Compared the two files, and saw only a couple of minor changes, but found what seems to be causing my issue.

                    In the config section for unbound, the working config has:

                    [regdhcp][/regdhcp]
                    [regdhcpstatic][/regdhcpstatic]

                    (but with less-than and greater-than instead of square brackets - I had to change these so this post wasn't flagged as spam)

                    ...but these are not written into the changed config file.

                    If I manually remove them from the working config, then restart unbound, I then get the NXDOMAIN error during a local hostname lookup.

                    Might be a bug?

                    There's also an entry for [dnssec][/dnssec] missing from the changed config too, but this doesn't affect my local lookups.

                    1 Reply Last reply Reply Quote 0
                    • J
                      JonSmizza
                      last edited by JonSmizza

                      More info, I think my problem will be related to this post: https://forum.netgate.com/post/1152951

                      My DHCP Backend is Kea DHCP

                      1 Reply Last reply Reply Quote 0
                      • J
                        JonSmizza
                        last edited by JonSmizza

                        Just a final post: everything works fine as long as I transfer over those two empty XML blocks into the updated config file.

                        @viragomann thank you for the idea regarding domain-insecure, I've now incorporated that into my setup. 👍

                        Cheers!

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @JonSmizza
                          last edited by

                          @JonSmizza Kea is in preview status and DHCP lease registration is not yet supported so yeah probably a bug.
                          https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available

                          I would just change back until it’s ready.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          J 1 Reply Last reply Reply Quote 0
                          • J
                            JonSmizza @SteveITS
                            last edited by

                            @SteveITS thank you, I wish I had known this before switching... reading the on-screen notes in pfSense suggested I was better-off using Kea.

                            Anyway, apart from the issue I posted, it's been fine, so I'll stick with it unless future failures become too painful to bear.

                            Cheers!

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @JonSmizza
                              last edited by

                              @JonSmizza said in disabling DNSSEC stops local hostname resolution?:

                              I wish I had known this before switching

                              Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              J 1 Reply Last reply Reply Quote 0
                              • J
                                JonSmizza @johnpoz
                                last edited by

                                @johnpoz said in disabling DNSSEC stops local hostname resolution?:

                                Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it.

                                If only it had been clearly stated where it really matters.

                                Oh well. ¯_(ツ)_/¯

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.