Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound: Host Override ignoring "domain" portion for unqualified queries?

    Scheduled Pinned Locked Moved DHCP and DNS
    15 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      what would be the fqdn of your pve01 box… Why would you ever have just a host name to find something?  You should always use fqdn.  So ok you have server local called pve01.something.tld and then your override of pve01.foobar.xyz so you should be fine.

      But I agree with you it could be problematic.. I agree with you all queries should always be fully qualified.. if you have record for host.domain.tld a query for host. should not return that record.

      Have to look into redmine and see if anyone has opened a ticket about this.  But either way the work around I posted works.

      as to your search suffix being single label - not a fan of that to be honest, but sure if that is what you want..  I personally think its bad habit and practice.

      I stated it most likely WAD designed is because there have been previous posts where users specifically desired host name to respond.  But I don't understand the use case of that either.  Other then lazy users not wanting to type out fully qualified or proper use of search suffixes when and where they work, etc.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • luckman212L
        luckman212 LAYER 8
        last edited by

        @johnpoz:

        what would be the fqdn of your pve01 box…

        pve01.baz in this case

        @johnpoz:

        Why would you ever have just a host name to find something?  You should always use fqdn.

        I agree but there are some cases where this can't be controlled (someone else's software) or other reasons why you might want it (maybe you want to make a bookmark for http://pve01 that works from 2 different search domains - home & work…)

        @johnpoz:

        So ok you have server local called pve01.something.tld and then your override of pve01.foobar.xyz so you should be fine.

        Yes as long as the full FQDN is used, the correct values are returned

        @johnpoz:

        Have to look into redmine and see if anyone has opened a ticket about this.  But either way the work around I posted works.

        Thank you- actually I did stumble onto that same workaround, I was just posting here so that I could get feedback

        @johnpoz:

        as to your search suffix being single label - not a fan of that to be honest, but sure if that is what you want..  I personally think its bad habit and practice.

        agree w/ you 100% - actually these examples are not my real info - real suffix is more like foo.bar but for the example it didn't matter.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Prior to 2.3.2, the non-fully qualified hostname was put in the hosts file and in Unbound's config, without any consideration for the domain. So if you had abc.example.com and abc.example.net pointing to two diff IPs, doing a lookup on just "abc" would result in a round-robin reply with both IPs.

          In 2.3.2+, the non-FQDN hostnames are excluded entirely from hosts (for the host itself and dnsmasq) and Unbound's config, so that won't happen.

          1 Reply Last reply Reply Quote 0
          • luckman212L
            luckman212 LAYER 8
            last edited by

            Ah, ok – I'll test w/  2.3.2 snapshot

            thanks Cmb  ;)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              So it was WAD then ;)  glad to see it being changed..  Looks like some good stuff coming in 2.3.2..  Might have to move to it early as well ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • luckman212L
                luckman212 LAYER 8
                last edited by

                @cmb:

                In 2.3.2+, the non-FQDN hostnames are excluded entirely from hosts (for the host itself and dnsmasq) and Unbound's config, so that won't happen.

                I upgraded to 2.3.2.a.20160714.1554, deleted my Host Override and then re-added it.  But I'm still seeing the same result as before.  When I query for the unqualified host (pve01) I get back both IPs from Unbound. Do I need to change some other settings somewhere to see the new behavior?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  check your host file, guess is left those in there since you did an upgrade.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • luckman212L
                    luckman212 LAYER 8
                    last edited by

                    I checked /etc/hosts I see that there are in fact 2 entries for the "pve01" unqualified hostname

                    1.2.3.4          pve01.foobar.xyz pve01
                    192.168.20.31    pve01.baz pve01
                    

                    Like I said, I deleted the Host Override, confirmed that it was completely gone from /etc/hosts and then re-added it.  But again it puts back the line:

                    1.2.3.4          pve01.foobar.xyz pve01
                    

                    Maybe I'm not on the right snapshot??

                    1 Reply Last reply Reply Quote 0
                    • C
                      cmb
                      last edited by

                      Oh, misremembered where I pushed that. It's in 2.4 only, as 2.3.2 has minimal time for baking in snapshots and I'm thinking that's likely going to trigger some regression in some edge case.

                      You can apply the diffs from the two commits on this ticket.
                      https://redmine.pfsense.org/issues/6064

                      https://redmine.pfsense.org/projects/pfsense/repository/revisions/f1db82aca3f260921ce0c5f71ff3a93149ffebc0/diff/src/etc/inc/unbound.inc
                      https://redmine.pfsense.org/projects/pfsense/repository/revisions/0fa68840504f6866901e0d02819d43a3ce9f9578/diff/src/etc/inc/system.inc

                      1 Reply Last reply Reply Quote 0
                      • luckman212L
                        luckman212 LAYER 8
                        last edited by

                        Ok thanks again.

                        Just to clarify, the correct way to do what you are suggesting:

                        1. Install System_Patches package
                        2. create 2 patches, reference the following 2 commits:
                        f1db82aca3f260921ce0c5f71ff3a93149ffebc0
                        0fa68840504f6866901e0d02819d43a3ce9f9578
                        
                        ```3) Apply
                        
                        I did this and it seemed to work….. just making sure
                        
                        also......How can we begin testing 2.4?
                        1 Reply Last reply Reply Quote 0
                        • C
                          cmb
                          last edited by

                          Yes, that's correct.

                          We'll have 2.4 snapshots out before too long, then we'll have a board up here for testers.

                          1 Reply Last reply Reply Quote 0
                          • luckman212L
                            luckman212 LAYER 8
                            last edited by

                            Just wanted to report back, been running that patch with no ill effects for just about a week now. Has been working fine.

                            edit: Been well over a month now, running those patches and they are not causing any problems at all for me. Not sure how far off 2.4 is but it would definitely be nice to see these committed for 2.3.3.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.