DNS Domain override not working

iggybuddy6

In DNS Resolver I have set a Domain Override for the domain 'm.internal.domain.com' Address: 10.10.40.30 to forward to a PowerDNS but queries like query.m.internal.domain.com are not being forwarded.

Is there anything special I have to look for or what am I missing?

DNS Resolver
System Domain Local Zone Type: static
DNS Query Forwarding
Enable Forwarding Mode: checked
Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: checked

My system domain is 'internal.domain.com'

When I direct dig to PowerDNS @address it works fine but when going through pfsense unbound gives no results / no forward.

When I dump the unbound conf I see m.internal.domain.com in the domainoverrides.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf
# Forwarding
forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 9.9.9.9@853#dns.quad9.net
	forward-addr: 149.112.112.112@853#dns.quad9.net

cat /var/unbound/domainoverrides.conf

forward-zone:
	name: "m.internal.domain.com"
	forward-addr: 10.10.40.30

SteveITS

@iggybuddy6 what’s in domainoverrides.conf

You’re querying pfSense directly? Often browsers use DoH nowadays.

iggybuddy6

@SteveITS thx yeah I quickly realized it is actually in the domainoverrides. Not sure what you mean with the DoH used by browsers I am going via dig +short @10.10.40.30 works . when hitting pfsense ubound it does not. There is no fw rule nor NAT port forward that I am aware of affecting this.

iggybuddy6

I have tried setting System Domain Local Zone Type: transparent and disabling pfBlockerNG + DNSBL with no luck. There are no other Host Overrides in DNS Resolver for that domain either. No Custom Options in Unbound

patient0

@iggybuddy6 said in DNS Domain override not working:

have tried setting System Domain Local Zone Type: transparent and disabling pfBlockerNG + DNSBL with no luck

In pfSense Diagnostics / pfTop do you see connections to the PowerDNS server 10.10.40.30 when you run a dig to pfSense for the subdomain?

If I set up a domain override to 'm.home.arpa' to a (not existing) server 10.11.12.13 I do see connections to 10.11.12.13:53 in pfTop, with either dig m.home.arpa and dig tom.m.home.arpa

With local zone type set to 'static' that doesn't work for me (try-and-error).

Reading the unbound.conf man page it states for 'static':

static If  there  is  a  match from local data, the query is an-
       swered.  Otherwise, the query is answered with NODATA  or
       NXDOMAIN.  For a negative answer a SOA is included in the
       answer if present as local-data for the zone apex domain.

Btw: what pfSense version are you using?

iggybuddy6

@patient0 thx for confirming that the domain override of a subdomain should work

pftop shows dns lookup originating from my ip 10.10.40.103 on the vnet interface 10.10.40.1
On dir src the WAN IP 192.168.21.85 is used when going to PowerDNS at 10.10.40.30 so I believe it does not know how to route back

pfTop: Up State 1-2/2 (2107), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
udp       In  10.10.40.103:54964            10.10.40.1:53                      SINGLE:MULTIPLE     00:00:13  00:00:17        2      196
udp       In  10.10.40.103:51131            10.10.40.1:53                      SINGLE:MULTIPLE     00:00:12  00:00:18        2      150

pfTop: Up State 1-1/1 (2220), View: default, Order: bytes
PR        DIR SRC                           DEST                                   STATE                AGE       EXP     PKTS    BYTES
udp       Out 192.168.21.85:55862           10.10.40.30:53                     SINGLE:NO_TRAFFIC   00:00:06  00:00:54        1       86

cat /var/unbound/unbound.conf

# Outgoing interfaces to be used
outgoing-interface: 192.168.21.85

Seems that Unbound is using the WAN IP as source address for all queries to a upstream and to a forwarder.
I have another forward-zone in my configs using quad9 where the WAN IP source address made sense so far.

forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 9.9.9.9@853#dns.quad9.net
	forward-addr: 149.112.112.112@853#dns.quad9.net

I did not set any specific option to mark the interface / do not know if that is coming by default from DNSResolver. My internal DNS seem to not be able to properly route because of this.

Edit:
I have added the VLAN 40 as Network interface in Outgoing Network Interfaces of DNS Resolver and this made it work (had only WAN checked)

Thanks again

patient0

@iggybuddy6 said in DNS Domain override not working:

Edit: I was too slow :) ... you fixed it yourself, excellent.

Seems that Unbound is using the WAN IP as source address for all queries to a upstream and to a forwarder.

What have you set as "Outgoing Network Interfaces" for the DNS Resolver?

If I use the default settings of "All" no outgoing-interface entry shows up in the config.

iggybuddy6

@patient0 thank you for pointing me to the right direction for troubleshooting

as a side note it seems that I am able to keep System Domain Local Zone Type: static by marking the specific domain as transparent in the DNS Resolver Custom options via

server:
	local-zone: "m.internal.domain.com." transparent

it seems working so far