DNS Resolver and Domain Overrides
-
I used to use DNS Forwarder and I had several "Domain Overrides", now with the DNS Resolver the "Domain Overrides" are not working. In my country we have several sites bloked but in the DNS, so I use the "Domain Overrides" to bypass this. Can any one confirm problems with DNS Resolver and Domain Overrides?
Thank You
-
-
Ok, I had to google "PEBKAC" to understand what you where telling me :). I admit that the problem my be between keyboard and chair, but I can't seem to understand what! In the DNS Forwarder all was working ok, and as far as I can see all is set the proper way.
-
Did you read this thread?
https://forum.pfsense.org/index.php?topic=89159.0
-
Specifically what config are you attempting?
-
and you need to add the domain overrides to the DNS Resolver webGUI page, it does not use the ones previously defined in the DNS Forwarder. I guess you did that?
-
Hello, yes I did. I had all working in DNS Forwarder, the problem started when a switched to DNS Resolver. Here are my steps:
- Deleted all entry's from DNS Forwarder and turnoff DNS Forwarder.
- Enabled DNS Resolver
Settings on the Resolver
- Enable DNSSEC Support
- Enable Forwarding Mode
- Enable Register DHCP leases in the DNS Resolver
- Disabled Register DHCP static mappings in the DNS Resolver
- Disabled If this option is set, then any descriptions associated with Host entries and DHCP Static mappings will create a corresponding TXT record.
Domain Overrides:
- Domain: thepiratebay.se
- IP: 199.27.135.8
Advanced settings on default
On General Setup I have my DNS's and DNS Forwarder (127.0.0.1) is on.
When I make a request to "thepiratebay.se" no page is displayed, and if I make a test on "DNS Lookup" I get random results. Sometimes I get a very huge time on 127.0.0.1 (5499 msec for example), sometimes error, and sometimes it retries a IP, but not what I set on the "Domain Overrides".
I have some "Host Overrides" and they are working.
If I set the Domain and ip on the hosts file in Windows it works. But I what it on the firewall so that it works on all my devices
-
I am not sure what the issue is - I can resolve www.thepiratebay.se from here. Maybe there is some issue with DNSSEC, I am not sure if that option forces "DNSSEC or nothing". While waiting for suggestions from more knowledgeable folk you could try with DNSSEC Support disabled.
-
My country is blocking piratbay via DNS. When I request thepiratebay.se the DNS kicks me to another IP. I could use other DNS, but these are a lot faster resolving for national IP's that for example google. So I set the DNS Overide so that the request stops on the DNS Resolver. But from what I can tell it seams that the DNS Resolver is ignoring my DNS Override
-
A Domain Override makes the DNS Resolver send requests for resolution of names in that domain to the specified IP. So it does not "stop at the DNS Resolver". When a client asks for "www.thepiratebay.se" then DNS Resolver is going to send the name resolution request to 199.27.135.8 for resolution. If 199.27.135.8 IP address is blocked somewhere then it will not be able to answer the resolver query.
If that is the problem, then I do not see how it worked with DNS Forwarder.Host Overrides stop at the DNS Resolver and give a local answer straight away. But you have to put an entry for every name you want to use.
-
The IP 199.27.135.8 is not blocked. The only thing that it's blocked is when I ask my internet provider DNS the ip for the DNS thepiratbay.se it returns me another ip that points to a page that displays a message informing that the website is blocked.
So I set thepiratbay.se in the DNS Override with the correct IP but the override is not working. It keeps bypassing the Override and sending the requests to the "General Setup" DNS. This was working with no problems in the "DNS Forwarder" stooped working when I made the switch to "DNS Resolver". It works localy when I set the DNS in the host file of windows.
I tryed turning off "DNSSEC Support" but with no success..
-
With "Unbound", you should not use "Forwarding Mode". The whole purpose of using Unbound is so that it resolves using the Root DNS servers and not use the DNS servers of your ISP or Google DNS for example.
You could also skip DNS resolution and type the IP address in the browser.
-
Typing the Ip on the browser bar would work, but not in this specific website. thepiratbay is hosted on cloudflare, that uses the same IP to several websites. It needs the correct host name to know witch site we are requesting.
So from whtat you say, it's back to DNS Forwarder. What I what in the end is, use local DNS and if it fails, send the request. That was the result of "DNS Forwarder"
-
The Domain Overrides should end up in /var/unbound/domainoverrides.conf
Have a look in there and check that it has reasonable content.
After that, in DNS Resolver, Advanced Settings, you can set the "Log level verbosity". Then do "nslookup" from a client and see what comes in the DNS Resolver log. It might give some hints about why the resolver request is not being sent to where you expect.
So far I have only used Domain Overrides for internal domains, pointing to internal authoritative DNS servers, so I can't confirm if there is an issue with domain overrides to public DNS servers. -
Domain Overrides:
- Domain: thepiratebay.se
- IP: 199.27.135.8
I believe the entry should be in Host Override. 199.27.135.8 is a your target ip. Domain overrides specify the ip for a DNS server.
-
/var/unbound/domainoverrides.conf
stub-zone: name: "thepiratebay.se" stub-addr: 199.27.135.8 stub-prime: no -
Yes, here are some nslookup results:
Non-authoritative answer: Name: thepiratebay.se Addresses: 2400:cb00:2048:1::c71b:8708 2400:cb00:2048:1::c71b:8608 199.27.134.8 199.27.135.8Non-authoritative answer: Name: www.thepiratebay.se Addresses: 2400:cb00:2048:1::c71b:8608 2400:cb00:2048:1::c71b:8708 199.27.134.8 199.27.135.8But maybe the DNS server for thepiratebay.se is at 199.27.135.8 as well as the web site itself.
-
If it is then it is down at the moment
nslookup
server 199.27.134.8
Default server: 199.27.134.8
Address: 199.27.134.8#53
thepiratebay.se
;; connection timed out; no servers could be reached -
/var/unbound/domainoverrides.conf
stub-zone: name: "thepiratebay.se" stub-addr: 199.27.135.8 stub-prime: noThat's correct if 199.27.135.8 actually answered DNS queries. It doesn't. If it ever responded with that config, it was at a time when that IP actually resolved DNS, and it doesn't now. Nothing to do with DNS Resolver or Forwarder, that's just not a valid config.
-
Hello all, the problem is solved, I changed the rule from Domain Overrides to Host Overrides and all started working again. I don't know what is wrong with Domain Overrides but now it's working
Thank You for all your help
Best Regards
