Help with domain override setup

krlsantcard

Hello !!!
I have a Domain Overrides configured in the DNS resolver to a DNS server on DMZ.
All testing inside pfsense (Diagnostics->Traceroute, Diagnostics->DNS lookup) all ok. But on client from LAN never resolve.

I've made a nslookup (windows)

C:\Users\admin>nslookup prod-1.homelab.cu
Servidor:  UnKnown
Address:  192.168.160.55

*** UnKnown no encuentra prod-1.homelab.cu: Non-existent domain

another test:

C:\Users\admin>tracert -d prod-1.homelab.cu

Traza a la dirección prod-1.homelab.cu [10.0.0.50]
sobre un máximo de 30 saltos:

  1     1 ms    <1 ms     1 ms  192.168.160.55
  2     *        *        *     Tiempo de espera agotado para esta solicitud.
  3    60 ms    39 ms    59 ms  10.90.60.82
  4    89 ms    34 ms    32 ms  10.90.60.93
  5

the funny is when i turn off the WAN interface, it can resolve perfect.
Any idea, what i'm missing here. Thanks

johnpoz

@krlsantcard said in Help with domain override setup:

But on client from LAN never resolve.

Is the client also on the same network as this ns your forwarding to? Keep in mind when you domain override that rebind will be in effect.

If your client is on the same network as NS you forward too, or there is asymmetrical routing back from the ns to the client - the client could say hey wait a minute I asked 1.2.3.4 for this why am I getting an answer from 4.5.6.7

What I find odd is why does your nslookup not even resolve 192.168.160.55, this is pfsense own name I would assume. This should really always resolve.

> wwelsdjmfdss.dsfhjlsdjhfs.fdsfd
Server:  sg4860.home.arpa
Address:  192.168.9.253

*** sg4860.home.arpa can't find wwelsdjmfdss.dsfhjlsdjhfs.fdsfd: Non-existent domain

Gertjan

@krlsantcard said in Help with domain override setup:

homelab.cu

I'm not sure ...
When I enter :

and save, and then restart unbound/resolver it works right away.

C:\Users\Gauche>nslookup prod-1.homelab.cu
Serveur :   pfSense.bhf.tld
Address:  2a01:cb19:dead:beef:c3c:77ff:fe29:392c

Nom :    prod-1.homelab.cu
Address:  1.2.3.4

My WAN is always connected.

@krlsantcard said in Help with domain override setup:

Servidor: UnKnown
Address: 192.168.160.55

Strange.
Is this 192.168.160.55 your pfSense LAN or other LAN (OPTx) interfaces ?
Is unbound listening to this interface ?
This will do just fine :

Not related, but scary : .55 and not .1 or if you have to .254 ... No reverse for your pfSense ?

I'm using the default (Netgate) resolver settings, so my resolver resolves.

johnpoz

@Gertjan he said domain override - so not a host override I think.

he could be running into a transparent zone problem because .cu is a valid public tld.. so pfsense could be asking the internet not his domain override, etc.

Personally not a fan of using public domain names internally.. if its for internal use - just use an internal tld like home.arpa or the new approved .internal.. But yeah pfsense not resolving its own name is odd.

Gertjan

@johnpoz said in Help with domain override setup:

he could be running into a transparent zone problem because .cu is a valid public tld..

That's exactly what I'm using :

and I'm not using bhf.tld as a local pfSense domain name, but a dot net, so a real rented domain name.
As I control this domain name with my own bind DNS domain name server, I can 'see' if local LAN DNS request get send upstream - and this never happens.
I'll like to see it this : for all the local LAN based "bhf.net" DNS requests (and the host override) , my unbound is authoritative, so it gets an answer. If it can't, because I was asking for whatever.bhf.net, then the request can forwarded upstream (resolved) and the request winds up on my own DNS zone domain server, who will says what needs to be said : dono neither.

All this works perfectly fine with 'out of the Netgate box' settings.
Never had any issues ^^

johnpoz

@Gertjan not saying it can't work - it can be problematic when your trying to resolve some thing internally, while other things externally.

I am not a fan of doing it that way..

If you have all your records setup for your internal stuff you good.. Its when you don't and it tries to resolve external where you can run into nx for sure. Because your external doesn't have a record, etc.

Gertjan

@johnpoz

I didn't found another solution as I have to use
captive-portal.my-hotel.net
for my captive portal, so I can get easily a LE/acme certificate for it.

The "my-hotel.net" must be known public for the DNS LE test.
Not sure if "local.arpa" can also be LE tested ^^

edit : btw : I ask a wild card *.my-hotel.net so I can use the cert for all my LANs based hosts.

krlsantcard

Thanks for reply.
I was doing simple testing:
ping from LAN to DMZ dont respond!!!
pinh from LAN to GUEST ok.
and i think that all this odd behavior must be how i have all setup.
So let me explain.
I have all virtualize on VMware on my PC (one NIC).

my customs adapters

and here my networks from window

and in pfsense setup

from GUEST network all work fine or maybe??

but from LAN a ping to DMZ never respond,
how ever ping to GUEST respond well.
rules are open to any.

Any idea???

krlsantcard

ipconfig on GUEST network,

krlsantcard

ipconfig in LAN

Is it why never resolve. ????

krlsantcard

to finish i have to add to DNS server settings the ip from my dns server on DMZ, is that correct???

krlsantcard

@Gertjan Problem Solved!!!!

Yes i dont know why but was related to virtualizations.
Just put de VM on the subnet of LAN and get all via DHCP and resolves all like a charm!!!!.
Now from any subnet work great. i almost give up.
thanks u all.

krlsantcard

In order all this work i have to:

DNS Resolver -> Domain Overrides setting:
homelab.cu - 10.0.0.50 (DNS server in DMZ)

2 DNS Resolver -> Access List granted access to LAN and GUEST network (not sure is needed).

leave in blank "DNS Server Settings" fields (System->General setup)(previous filled with google dns but dont resolved my internal dns)
In every interface (LAN, GUEST) under DHCP Server setting:
DNS server: IP of interface, 8.8.8.8, 8.8.4.4, 1.1.1.1
gateway: IP of interface
domain name: homelab.cu
(i supose that this way any client conected to any of this interface get network setting via dhcp and when resolver first look in the ip of the domain override, then if fail go to the others dns i setup. Is that correct? ) and isthis the right way to do it??
Thanks again and i hope someone can make some clarifications about this notes above.

johnpoz

@krlsantcard no none of that makes any sense.. clients behind pfsense should be really the only dns set on clients. If you want pfsense to forward to google dns or cloudflare than setup pfsense to do so.. But resolving should be fine, its the default you do not have to set any dns IPs

Those IPs sure and the hell not going to know about any local resources you want to resolve. And no they do not try in order, when you set more than one nameserver on a client, you really have no idea which one it might ask.

krlsantcard

@johnpoz said in Help with domain override setup:

clients behind pfsense should be really the only dns set on clients.

First i made this ways but then dont resolve nothing to the internet. Just my internal dns.

So i really lost how i must go on!!!

krlsantcard

@johnpoz said in Help with domain override setup:

f you want pfsense to forward to google dns or cloudflare than setup pfsense to do so

Please let me put in a way u can understand, what i pretend if type on a browser in LAN o GUEST www.homelab.cu or nas-prod-1.homelab.cu resolve to my DNS server on DMZ, otherwise typing any word, frase then google.

krlsantcard

Well, following ur sugestions remove all dns.
Client in GUEST (get via DHCP)

Is that correct???
And a ping to google.

then in browser:
DNS_PROBE_FINISHED_NXDOMAIN

just made a flushdns and problem resolved.
so that's the way should be?

krlsantcard

for clarification,
on DHCP server -> GUEST (static IP 192.168.42.1) i set
DNS servers : 192.168.42.1
Gateway: 192.168.42.1
Domain name: homelab.cu