Wildcard DNS entries
-
If you need a wildcard in your DNS forwarder (*.domain.com)
1. Log in to pfSense 2.0 instance via the web interface.
2. Go to Services-> DNS Forwarder (http://pfSensense_url/services_dnsmasq.php)
3. Click the Advanced button Add as many of the following as you need, each entry on a new line.address=/dev/127.0.0.1
Where dev is the end of the wildcard entry, and 127.0.0.1 is the ip that these wildcard names will resolve to. Think of dev as *.dev, but only list the part after the dot. So myhost.dev, myhost.subdomain.dev, and anything else that ends in .dev and is not defined elsewhere, will resolve to the ip provided.
So if you need *.com then the corresponding line will look like
address=/com/127.0.0.1
Credit: http://serverfault.com/questions/321563/how-can-i-setup-a-wilcard-dns-entry-on-pfsense
Thank you Scott -
Howto for DNS Resolver (Unbound):
1. Go to Services -> DNS Resolver
2. Add the desired wildcard entries to the Advanced box:server: local-zone: "example.com" redirect local-data: "example.com 3600 IN A 192.0.2.1"
Documentation: unbound.conf(5)
redirect The query is answered from the local data for the zone name. There may be no local data beneath the zone name. This answers queries for the zone, and all subdomains of the zone with the local data for the zone. It can be used to redirect a domain to return a different address record to the end user, with local-zone: "example.com." redirect and local-data: "example.com. A 127.0.0.1" queries for www.exam- ple.com and www.foo.example.com are redirected, so that users with web browsers cannot access sites with suffix exam- ple.com.
-
This is in the wiki as well.
https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver
-
I cant get it to work
-
Seems that if you try the above for pfSense 2.2.4 with an unbound resolver, you will get a duplicate zone error…
unbound: [42597:0] warning: duplicate local-zone unbound: [42597:0] error: could not enter zone mydomain.ddns.net transparent unbound: [42597:0] fatal error: Could not set up local zones
if I just use the last line (suggested by the wiki), it starts successfully. From an external IP dig doesn't seem to like it and the wildcard still doesn't work…
[user@localhost /]$ dig @mydomain.ddns.net ubuntu64.mydomain.ddns.net ; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>> @mydomain.ddns.net ubuntu64.mydomain.ddns.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24562 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; Query time: 157 msec ;; SERVER: 73.239.107.170#53(73.239.107.170) ;; WHEN: Wed Oct 14 15:01:32 PDT 2015 ;; MSG SIZE rcvd: 12 [user@localhost /]$
FYI - I have opened TCP/UDP 53 in the firewall
-
This is in the wiki as well.
https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/ResolverYes - and that page also misses a big gotcha.
As someone coming from dnsmasq / "forwarder" I had multiple host overrides too.
Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match. So you need to delete all the host overrides that use the same subdomain.
If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.