Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    disabling DNSSEC stops local hostname resolution?

    Scheduled Pinned Locked Moved DHCP and DNS
    14 Posts 4 Posters 973 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @JonSmizza
      last edited by

      @JonSmizza said in disabling DNSSEC stops local hostname resolution?:

      I'm not sure of the exact syntax required, so I tried a few variations:

      server:
      domain-insecure: "internal."

      server:
      domain-insecure: "internal"

      server:
      domain-insecure: "<local-domain>."

      You have to state your exact local domain with a dot at the right.
      Ensure that this domain is stated in pfSense in the general setting and also your machines are within this domain.

      J 2 Replies Last reply Reply Quote 1
      • J
        JonSmizza @viragomann
        last edited by JonSmizza

        @viragomann said in disabling DNSSEC stops local hostname resolution?:

        You have to state your exact local domain with a dot at the right.
        Ensure that this domain is stated in pfSense in the general setting and also your machines are within this domain.

        Thank you, we should be OK there:

        alt text

        However, I'm stuck with the issue as per my previous post where is seems changing any setting in DNS Resolver results in non-working local resolution.

        1 Reply Last reply Reply Quote 0
        • J
          JonSmizza @viragomann
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • J
            JonSmizza
            last edited by JonSmizza

            Think I've narrowed this down a bit more.

            I located the config file /conf/config.xml and saved it before and after making changes to unbound via the pfSense UI.

            Compared the two files, and saw only a couple of minor changes, but found what seems to be causing my issue.

            In the config section for unbound, the working config has:

            [regdhcp][/regdhcp]
            [regdhcpstatic][/regdhcpstatic]

            (but with less-than and greater-than instead of square brackets - I had to change these so this post wasn't flagged as spam)

            ...but these are not written into the changed config file.

            If I manually remove them from the working config, then restart unbound, I then get the NXDOMAIN error during a local hostname lookup.

            Might be a bug?

            There's also an entry for [dnssec][/dnssec] missing from the changed config too, but this doesn't affect my local lookups.

            1 Reply Last reply Reply Quote 0
            • J
              JonSmizza
              last edited by JonSmizza

              More info, I think my problem will be related to this post: https://forum.netgate.com/post/1152951

              My DHCP Backend is Kea DHCP

              1 Reply Last reply Reply Quote 0
              • J
                JonSmizza
                last edited by JonSmizza

                Just a final post: everything works fine as long as I transfer over those two empty XML blocks into the updated config file.

                @viragomann thank you for the idea regarding domain-insecure, I've now incorporated that into my setup. 👍

                Cheers!

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @JonSmizza
                  last edited by

                  @JonSmizza Kea is in preview status and DHCP lease registration is not yet supported so yeah probably a bug.
                  https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available

                  I would just change back until it’s ready.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    JonSmizza @SteveITS
                    last edited by

                    @SteveITS thank you, I wish I had known this before switching... reading the on-screen notes in pfSense suggested I was better-off using Kea.

                    Anyway, apart from the issue I posted, it's been fine, so I'll stick with it unless future failures become too painful to bear.

                    Cheers!

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @JonSmizza
                      last edited by

                      @JonSmizza said in disabling DNSSEC stops local hostname resolution?:

                      I wish I had known this before switching

                      Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        JonSmizza @johnpoz
                        last edited by

                        @johnpoz said in disabling DNSSEC stops local hostname resolution?:

                        Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it.

                        If only it had been clearly stated where it really matters.

                        Oh well. ¯_(ツ)_/¯

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.