disabling DNSSEC stops local hostname resolution?
-
Hi guys, got a weird-one here.
I run pfSense CE 2.7.2 on an old Zotac box.
I decided it's time to start using DNS-over-TLS, and followed the instructions here: https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
Works great. AFAICT. I was still trying to confirm it when I noticed a new problem.
An 'nslookup' on my client workstation (Debian 12.5) returns an NXDOMAIN error for any of my LAN hostnames. External domains work fine.
Reverted the changes I made as per that recipe, but couldn't get LAN hostname resolution working again. I eventually gave-up and restored a pfSense settings backup and rebooted. Everything working again, except for DoT as-expected.
So, I began working through the recipe again, and noticed LAN hostnames stopped resolving after disabling Services > DNS Resolver > DNSSEC > Uncheck "Enable DNSSEC support" (and saving that setting).
I've been able to limit the backup restore area to 'DNS Resolver' only to return to a working state.
Presently, I have actual hostnames entered for my DNS Servers, and the 'DNS Resolution Behavior' is set to "Use local DNS (127.0.0.1), ignore remote DNS Servers" (as per the recipe):
Any ideas please? Why are my LAN hostnames not resolving after disabling DNSSEC?
Cheers. :)
-
@JonSmizza
I circumvent this by stating the local domain as domain-insecure in the Resolver custom options:server: domain-insecure: "<local-domain>." -
@viragomann Thank you for that great idea.
I'm not sure of the exact syntax required, so I tried a few variations:
server: domain-insecure: "internal."server: domain-insecure: "internal"server: domain-insecure: "<local-domain>."In all cases, after clicking "save", then "apply changes", I get the same error as before when performing a lookup (I haven't disabled DNSSEC at this point):
$ nslookup talia Server: 10.0.0.1 Address: 10.0.0.1#53 ** server can't find talia: NXDOMAINI then need to restore the config for the DNS Resolver and restart the DNS Resolver service to get this working again:
$ nslookup talia Server: 10.0.0.1 Address: 10.0.0.1#53 Name: talia.internal Address: 10.0.0.2$ nslookup z.com Server: 10.0.0.1 Address: 10.0.0.1#53 Non-authoritative answer: Name: z.com Address: 150.95.46.7Maybe my settings for DNS Resolver are getting scrambled or something?
-
Another data-point.
While the resolver is in a working state, I experimented by making a rather harmless change to its config: I ticked the Enable Python Module tickbox, save, apply changes.
Issue reappears:
** server can't find talia: NXDOMAINThere's something off with the settings...
-
@JonSmizza said in disabling DNSSEC stops local hostname resolution?:
I'm not sure of the exact syntax required, so I tried a few variations:
server:
domain-insecure: "internal."server:
domain-insecure: "internal"server:
domain-insecure: "<local-domain>."You have to state your exact local domain with a dot at the right.
Ensure that this domain is stated in pfSense in the general setting and also your machines are within this domain. -
@viragomann said in disabling DNSSEC stops local hostname resolution?:
You have to state your exact local domain with a dot at the right.
Ensure that this domain is stated in pfSense in the general setting and also your machines are within this domain.Thank you, we should be OK there:
However, I'm stuck with the issue as per my previous post where is seems changing any setting in DNS Resolver results in non-working local resolution.
-
This post is deleted! -
Think I've narrowed this down a bit more.
I located the config file
/conf/config.xmland saved it before and after making changes to unbound via the pfSense UI.Compared the two files, and saw only a couple of minor changes, but found what seems to be causing my issue.
In the config section for unbound, the working config has:
[regdhcp][/regdhcp]
[regdhcpstatic][/regdhcpstatic](but with less-than and greater-than instead of square brackets - I had to change these so this post wasn't flagged as spam)
...but these are not written into the changed config file.
If I manually remove them from the working config, then restart unbound, I then get the NXDOMAIN error during a local hostname lookup.
Might be a bug?
There's also an entry for
[dnssec][/dnssec]missing from the changed config too, but this doesn't affect my local lookups. -
More info, I think my problem will be related to this post: https://forum.netgate.com/post/1152951
My DHCP Backend is
Kea DHCP -
Just a final post: everything works fine as long as I transfer over those two empty XML blocks into the updated config file.
@viragomann thank you for the idea regarding
domain-insecure, I've now incorporated that into my setup.Cheers!
-
@JonSmizza Kea is in preview status and DHCP lease registration is not yet supported so yeah probably a bug.
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-availableI would just change back until it’s ready.
-
@SteveITS thank you, I wish I had known this before switching... reading the on-screen notes in pfSense suggested I was better-off using Kea.
Anyway, apart from the issue I posted, it's been fine, so I'll stick with it unless future failures become too painful to bear.
Cheers!
-
@JonSmizza said in disabling DNSSEC stops local hostname resolution?:
I wish I had known this before switching
Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it.
-
@johnpoz said in disabling DNSSEC stops local hostname resolution?:
Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it.
If only it had been clearly stated where it really matters.
Oh well. ¯_(ツ)_/¯
