Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound + search domain

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ladiko
      last edited by

      Seems like unbound is the new default for pfsense, so how to setup unbound that it resolves local hostnames by adding the local domain and forward the request to a remote server?

      nslookup hostname 192.168.1.1 always gives me an "non-existent domain" error. even if i set the domain in System > General Setup > Domain and all clients get the domain via DHCP.

      nslookup hostname.mydomain.com 192.168.1.1 only works, if i go to Services > DNS Resolver > Domain Overrides and set an override for my local domain to lookup a remote server - otherwise i get the "non-existent domain" error.

      I guess the problem is, that even if i login to the pfsense machine via ssh and try it there, it doesn't resolve without domain. So how to set the search domain for unbound? ususally i would edit /etc/resolv.conf but it seems strange to me to edit a system file for such a common option.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        your search domain would be set on your client..

        C:>nslookup storage
        Server:  pfSense.local.lan
        Address:  192.168.9.253

        Name:    storage.local.lan
        Address:  192.168.9.8

        so my clients domain is in local.lan  so when I do a nslookup for just storage it adds the domain local.lan

        C:>ipconfig
        Windows IP Configuration
        Ethernet adapter Local:

        Connection-specific DNS Suffix  . : local.lan
          IPv4 Address. . . . . . . . . . . : 192.168.9.100
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . : 192.168.9.253

        If your domain in question is authoritative on some other server in your network, then yes you would do a domain over ride in unbound to tell it where to go to look up your domain

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • L
          ladiko
          last edited by

          our domain is public and serves local adresses for some hostnames. Let's say our domain is galaxy.com and if I or you or anybody else looks up sun.galaxy.com, it would answer 192.168.1.5 while www.galaxy.com returns the IP of a rented root server.

          C:\>ipconfig
          
          Windows-IP-Konfiguration
          
          Ethernet-Adapter LAN-Verbindung:
          
             Verbindungsspezifisches DNS-Suffix: galaxy.com
             IPv4-Adresse  . . . . . . . . . . : 192.168.1.127
             Subnetzmaske  . . . . . . . . . . : 255.255.255.0
             Standardgateway . . . . . . . . . : 192.168.1.14
          
          C:\>nslookup sun
          Server:  firewall.galaxy.com
          Address:  192.168.1.1
          
          *** sun wurde von firewall.galaxy.com nicht gefunden: Non-existent domain.
          
          C:\>nslookup sun.galaxy.com
          Server:  firewall.galaxy.com
          Address:  192.168.1.1
          
          Nicht autorisierende Antwort:
          Name:    sun.galaxy.com
          Address:  192.168.1.2
          

          And if i wouldn't set Services > DNS resolver > Domain Overrides > for "galaxy.com" to use "8.8.8.8" (or any other public DNS server), it wouldn't even resolv the fqdn sun.galaxy.com

          It's just a guess, but does pfSense has a problem to lookup/forward a domain onto a remote server if it has been set as local domain?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            serving up rfc1918 from a public domain is BROKEN configuration plain and simple..

            Your clearly going to run into rebinding protection problems doing that.  And its just BAD idea all the way around..
            https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

            You need to serve up your rfc1918 space from local servers..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • L
              ladiko
              last edited by

              so it would be ok to enter them in the host override config of pfsense and remove them from the public DNS server? would that work?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                yup that would work for sure..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.