Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Prevent External DNS Resolver Queries for Local Domain

    Scheduled Pinned Locked Moved DHCP and DNS
    11 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doktornotor Banned
      last edited by

      What exactly are you sticking in the Advanced Settings? Should be

      
      local-zone: "home" static
      
      
      1 Reply Last reply Reply Quote 0
      • N
        NOYB
        last edited by

        @doktornotor:

        What exactly are you sticking in the Advanced Settings? Should be

        
        local-zone: "home" static
        
        

        Same as you indicated except without the quotes and including the trailing dot.

        
        local-zone: home. static
        
        

        It works with the pfSense domain name set as "localdomain".
        But not with pfSense domain name set as "home".

        DHCP is configured to provide all the clients with domain name of "home", so thought it would be nice to have pfSense using the same domain name;  "home" instead of "localdomain".

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          So enter what I have written above without any trailing dots. There's definitely no such thing there by default.

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by

            @doktornotor:

            So enter what I have written above without any trailing dots. There's definitely no such thing there by default.

            Same thing.  If pfSense domain name is set to home, the local-zone: "home" static breaks DNS.
            But removing it so DNS functions, then makes external queries for badhostname.home queries.

            Have tried all 4 permutations of with and without the quotes and trailing dot.

            If the pfSense domain is set as a local-zone it just breaks DNS.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              The long term hint: Stop this BS. Get a proper domain. Use it. Use a subdomain (like, internal.example.com) for internal use. Stop inventing nonsense like single-label domains. Chances are high you're gonna hit something that's already in use!

              Other than that, the domain set up via the GUI in System -> General Setup is configured as transparent (see /etc/inc/unbound.inc and /var/unbound/host_entries.conf). Trying to override it somewhere later probably won't exactly fly.

              Not sure what's "just breaks DNS" here, if you mean that unbound is no longer running after you add something to advanced options, then kindly prefix any stuff there with server: line.

              
              server:
               <blah custom="" config=""><blah more="" custom="" config=""><blah even="" more="" config=""></blah></blah></blah> 
              

              (unless it's actually something that belongs to different clause than server; RTFM…)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I don't understand the fascination with single label domains..  And trying to use home as single label yeah BAD IDEA..  This is open to being a possible public tld

                http://icannwiki.com/.home

                There is risk with it since is a common private tld, but why don't you just setup a normal domain like dok explained with say something.home if you want..  I personally use local.lan as mine

                So if I can reword your question for you, by default the domain your using for pfsense - in my case local.lan is setup in unbound.conf by pfsense as transparent.  This will send the query on if don't have a record for it in your local data..  So I think your actual question is how to change this from transparent to static or whatever other option like deny etc.. that someone might want to set for their local domain in pfsense.

                As you have noticed and dok clearly states trying to change what is already in the conf with something else is going to cause a problem.

                Example in /var/unbound/host_entries.conf

                I have
                [2.2.3-RELEASE][root@pfSense.local.lan]/root: cat /var/unbound/host_entries.conf
                local-zone: "local.lan" transparent

                So if I try to put
                local-zone: "local.lan" static

                in the advanced custom section of unbound in the gui, that is going to error…

                I am not aware of a way to change in this a gui, but if you want to edit unbound.inc you can change the function that sets that

                function unbound_add_host_entries() {
                        global $config, $g;

                $unbound_entries = "local-zone: "{$config['system']['domain']}" transparent\n";

                So for example I did a quick test and changed that to static

                so if I look in
                [2.2.3-RELEASE][root@pfSense.local.lan]/etc/inc: cat /var/unbound/host_entries.conf
                local-zone: "local.lan" static

                And I do a query for somethingdoesntexisit.local.lan I get NX back

                C:>dig notthere.local.lan

                ; <<>> DiG 9.10.2-P1 <<>> notthere.local.lan
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53318
                ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;notthere.local.lan.            IN      A

                ;; Query time: 1 msec
                ;; SERVER: 192.168.9.253#53(192.168.9.253)
                ;; WHEN: Wed Jul 08 07:22:20 Central Daylight Time 2015
                ;; MSG SIZE  rcvd: 47

                Is this what your trying to accomplish?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • N
                  NOYB
                  last edited by

                  That is what was needed.  Thanks.

                  Now if I could prevent non existent host name only quires from going external too.  (e.g. NonExistentHostName and NonExistentHostName.)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    with no tld?  What would be generating those queries?

                    let me do a simple test on my system, yup seems that gets sent to root and you get bx nx, hmmm let me look into that.  But what would be generating those sorts of queries?

                    Off the top you could NOT use
                    local-zone: "." static

                    Since that would blok everything because you just said root was local and and if you don't have a record for it don't look for it.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by

                      I know that in DNS Forwarder there was an option not to forward single level queries.  But haven't found anything for that in DNS Resolver.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        my question is what is generating host only queries?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.