Import host override list into forwarder

doktornotor

@markn62:

Anyone who has used PfSense for any time knows the unbound package uses the forwarder host overrides.

Not any more on 2.2 since it is not a package in the first place there. Stop sticking the overrides to obsolete places that were not intended for this anyway. If you want overrides for unbound, then kindly use the already suggested proper method above, or simply install 2.2 and use the GUI.

johnpoz

^ exactly.. What version are you on?  Are you still using 2.1.5?  With unbound package?  2.2 integrated unbound as the resolver.

Do you want me to remote in and set it up for you?  I can not help you if your trying to use unbound as a package and leverage the forwarder overrides, or how that used the forwarder stuff?  I never used the package other than some quick look at it.  But if your on 2.2 the info I have given is valid and tested on my own system and works as I have described.

If your using the unbound package, you should be able to put the entries as I have shown in a .conf file in the directory where unbound loads its .conf and have it load in whatever hosts you need.

I can always fire up my 2.1.5 vm and install the package and validate that.

doktornotor

The advanced config works the same with the 2.1.x package, except that you need trailing ; on each advanced config line, IIRC.

johnpoz

Yup and its in a different tab under the package gui page unbound advanced dns settings at the bottom there is custom box

So I just validated this works, you don't need server: in the package.  Not sure the package loads .conf files like the 2.2 integration does.

This is off 2.1.5 i386 vm.. Turned off forwarder, enabled unbound package.

markn62

Ahhh, so while I've been testing DNS Forwarder advanced entries you all have been talking Unbound Dns Advanced Settings.  And to not add a ; after address=/host.domain/x.x.x.x but after each line using syntax like so:

local-data: "click01.aditic.net A 10.10.10.1";
local-data: "click02.aditic.net A 10.10.10.2";

No wonder that above gave an error in the DNS Forwarder.  I've already been using this area with entries:
forward-zone:;name: ".";
forward-addr: 8.8.8.8;
forward-addr: 8.8.4.4;
forward-addr: 4.2.2.1;

And yes I'm still running version 2.1.5.  If I knew 2.2 was stable, and how to upgrade to it differently than using the firmware update GUI page, I might be inclined too.  Not sure why I'm getting dogged for not using a beta version.  This is a production box I can't just fiddle with anytime I wish.

Thanks for clarifying this.  Figured we had to be miscommunicating cause no suggestions seemed to work. I'll try Unbound Dns Advanced Settings - Custom Options entries later today, out of time this AM.

johnpoz

Here is the thing in your first post you stated forwarder, but then said there were unbound errors.  I asked for clarification right off the bat were you using the "forwarder" or unbound - with you saying unbound I also maybe in error assumed you were on 2.2.  Which is when unbound was integrated since you made no mention of using the "package"

IMHO 2.2 is stable - there are 0 bugs left that I am aware of, and been RC for quite some time.  It could drop final any day I would think.  To upgrade too it all you have to do is grab snap.  http://snapshots.pfsense.org/  There has not been a update since the 16, which also points to final being any day now ;)  Normally snaps are produced like twice a day.

markn62

Well I had a response but got snagged by the login timeout and forgot to copy/paste my post before submitting.  So I'll just apologize for assumptions made and the long thread.

markn62

Entered

server:
local-data: "click01.aditic.net A 10.10.10.1"

into Unbound Dns Advanced Settings and works like a champ.  Helps when put in the proper GUI location.  ;)

Thanks again guys for your help and patience.

markn62

Well that's a peach.  After all this effort to get a local ip / hostname relationship established in Unbound it appears neither nTopNG or Bandwidthd use Unbound to resolve the locals, both still show IP's.  I have nTopNG set to "Decode DNS responses and resolve all numeric IP's".  So at least nTopNG should be displaying hostnames.  I ping by hostname and it resolves.

markn62

Does anyone have private IP host overrides in Unbound to know if NtopNG and/or Bandwidthd, within PfSense ver 2.2, will DNS resolve the privates?

markn62

Interestingly, when I packet capture with the "reverse dns lookup" box checked the results for private IP's is x.x.x.x.sae-urn, again numbers with an odd hostname.  So doesn't look like PfSense is using host overrides in Unbound either.  Is this because Unbound is a package in pre ver 2.2?

johnpoz

And what do you have pfsense set to use for resolving?  Does it look to itself where you put the over rides in?

markn62

The General dns server has a Lan Ip entry with gw set to none.  I'm using the Unbound resolver with network interfaces set to Localhost and Lan.  And in Unbound Advanced I have entries, example;
local-data: "host.domain A ip address"
local-data: "host.domain A ip address"

I expected by also choosing localhost along with Lan that internal services could access the resolver via localhost, doesn't appear too.  The names are resolving in an outboard syslog server fine just not internally.

johnpoz

In general dns you have pfsense lan IP?

So I don't have any setup in general dns.  In dhcp servers I don't have anything listed - so it hands out the IP of the interface your dhcp server is running on to clients for dns.

If on pfsense I just do a simple drill command it comes back with root hints and shows its using localhost to resolve

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 15:12:48 2015

If I query using drill on cmd line of pfsense for a local host name I have in over rides it resolves just fine.

[2.2-RELEASE][root@pfSense.local.lan]/root: drill i5-w7.local.lan
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50574
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; i5-w7.local.lan.    IN      A

;; ANSWER SECTION:
i5-w7.local.lan.        3600    IN      A      192.168.1.100

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 15:15:38 2015
;; MSG SIZE  rcvd: 49

[2.2-RELEASE][root@pfSense.local.lan]/root: drill -x 192.168.1.100
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 14132
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 100.1.168.192.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
100.1.168.192.in-addr.arpa.    3600    IN      PTR    i5-w7.local.lan.

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 15:16:34 2015
;; MSG SIZE  rcvd: 73

When you use the advanced section, I am not sure it creats the PTR?  If you put them in the over ride its doing it as you can see from the above test.  But you say it works from machine that asks pfsense resolver for the host or IP.  So seems to me its just psfsense is not looking to itself.

markn62

Yes, as I commented, I do have the Lan IP in general, dns. Is this no longer required now that Unbound is integrated from a package as the dns resolver? I have a couple hundred entries so I prefer not to use the GUI override, would be time consuming. I ran the drill command and it resolved from the Lan IP but would not reverse lookup when using localhost.  I have no Dns addy's in Dhcp Server Lan.  With your setup can you resolve from a Lan client to PfSense Lan IP?  I'm running an external syslog server on the Lan subnet and it resolves ok and is pointed to the Lan Ip.

So the settings should be;
General Dns = no entry
Dhcp Server Dns = no entry
Dns Resolver, Network Interfaces = localhost + Lan or just localhost?

2.2-RELEASE][admin@pfsense.host]/root: drill Davidson.host ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6902 ;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:
;; Davidson.host.      IN      A

;; ANSWER SECTION:
Davidson.host. 3600    IN      A      192.168.150.152

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 192.168.2.1
;; WHEN: Fri Feb 20 14:17:26 2015
;; MSG SIZE  rcvd: 48
[2.2-RELEASE][admin@pfsense.host]/root: drill -x 192.168.150.152 ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 56723 ;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION:
;; 152.150.168.192.in-addr.arpa.        IN      PTR

;; ANSWER SECTION:

;; AUTHORITY SECTION:
168.192.in-addr.arpa.  10800  IN      SOA    localhost. nobody.invalid. 1 3600 1200 604800 10800

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 14:17:38 2015
;; MSG SIZE  rcvd: 105

markn62

I took the General, Dns entry out and left all else the same.  The drill command is now reporting the Server is 127.0.0.1.  Resolver is working fine. Still don't know why drill -x IpAddy doesn't produce a reverse lookup, no answer.  Btw, how can you get DHCP Static IP's into the DNS Resolver?  Do they have to be duplicated in the resolver's advanced settings?

johnpoz

Yes you need your resolve to listen on both your lan and localhost - if you want people on the lan to be able to query it.

So this record davidson.host - is it in the forwarders section or advanced?

So I put the record in advanced section and

[2.2-RELEASE][root@pfSense.local.lan]/root: drill testadv.lan
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 16194
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; testadv.lan. IN      A

;; ANSWER SECTION:
testadv.lan.    10800  IN      A      1.2.3.4

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Feb 21 05:36:25 2015
;; MSG SIZE  rcvd: 45

[2.2-RELEASE][root@pfSense.local.lan]/root: drill -x 1.2.3.4
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 42347
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; 4.3.2.1.in-addr.arpa.        IN      PTR

;; ANSWER SECTION:

;; AUTHORITY SECTION:
1.in-addr.arpa. 172797  IN      SOA    ns1.apnic.net. read-txt-record-of-zone-first-dns-admin.apnic.net. 5114 7200 1800 604800 172800

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Feb 21 05:37:10 2015
;; MSG SIZE  rcvd: 127

If I put it in forwarders..

[2.2-RELEASE][root@pfSense.local.lan]/root: drill -x 1.2.3.4
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61473
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 4.3.2.1.in-addr.arpa.        IN      PTR

;; ANSWER SECTION:
4.3.2.1.in-addr.arpa.  3600    IN      PTR    testadv.lan.

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Feb 21 05:38:21 2015
;; MSG SIZE  rcvd: 63
[2.2-RELEASE][root@pfSense.local.lan]/root:

If your going to use advanced, and you want PTR then you will have to put them in - they are not auto created like when using the actual over ride gui section.

As to statics – they are in automatically if you check to put them in there..  Do you have a NAME on them?  See they don't even have to be fully qualified

markn62

@johnpoz:

So this record davidson.host - is it in the forwarders section or advanced?

Record davidson.host is in the advanced section.  I don't use the forwarder.

@johnpoz:

As to statics – they are in automatically if you check to put them in there..  Do you have a NAME on them?  See they don't even have to be fully qualified

Check what to put them in? I've entered a hostname in each DHCP Static Mapping entry but no domain name.  However, they don't resolve.

I really appreciate all your help on this John.  Got nearly everything DNS related working well.

johnpoz

my bad not the forwarders section.. The host over rides section..

markn62

Guess I'll just duplicate each DHCP Static Mapping entry into resolver, advanced if there is no setting to populate the resolver with them automatically. Thanks again.