Unbound: Host Override ignoring "domain" portion for unqualified queries?
-
what would be the fqdn of your pve01 box… Why would you ever have just a host name to find something? You should always use fqdn. So ok you have server local called pve01.something.tld and then your override of pve01.foobar.xyz so you should be fine.
But I agree with you it could be problematic.. I agree with you all queries should always be fully qualified.. if you have record for host.domain.tld a query for host. should not return that record.
Have to look into redmine and see if anyone has opened a ticket about this. But either way the work around I posted works.
as to your search suffix being single label - not a fan of that to be honest, but sure if that is what you want.. I personally think its bad habit and practice.
I stated it most likely WAD designed is because there have been previous posts where users specifically desired host name to respond. But I don't understand the use case of that either. Other then lazy users not wanting to type out fully qualified or proper use of search suffixes when and where they work, etc.
-
what would be the fqdn of your pve01 box…
pve01.baz in this case
Why would you ever have just a host name to find something? You should always use fqdn.
I agree but there are some cases where this can't be controlled (someone else's software) or other reasons why you might want it (maybe you want to make a bookmark for http://pve01 that works from 2 different search domains - home & work…)
So ok you have server local called pve01.something.tld and then your override of pve01.foobar.xyz so you should be fine.
Yes as long as the full FQDN is used, the correct values are returned
Have to look into redmine and see if anyone has opened a ticket about this. But either way the work around I posted works.
Thank you- actually I did stumble onto that same workaround, I was just posting here so that I could get feedback
as to your search suffix being single label - not a fan of that to be honest, but sure if that is what you want.. I personally think its bad habit and practice.
agree w/ you 100% - actually these examples are not my real info - real suffix is more like foo.bar but for the example it didn't matter.
-
Prior to 2.3.2, the non-fully qualified hostname was put in the hosts file and in Unbound's config, without any consideration for the domain. So if you had abc.example.com and abc.example.net pointing to two diff IPs, doing a lookup on just "abc" would result in a round-robin reply with both IPs.
In 2.3.2+, the non-FQDN hostnames are excluded entirely from hosts (for the host itself and dnsmasq) and Unbound's config, so that won't happen.
-
Ah, ok – I'll test w/ 2.3.2 snapshot
thanks Cmb ;)
-
So it was WAD then ;) glad to see it being changed.. Looks like some good stuff coming in 2.3.2.. Might have to move to it early as well ;)
-
@cmb:
In 2.3.2+, the non-FQDN hostnames are excluded entirely from hosts (for the host itself and dnsmasq) and Unbound's config, so that won't happen.
I upgraded to 2.3.2.a.20160714.1554, deleted my Host Override and then re-added it. But I'm still seeing the same result as before. When I query for the unqualified host (pve01) I get back both IPs from Unbound. Do I need to change some other settings somewhere to see the new behavior?
-
check your host file, guess is left those in there since you did an upgrade.
-
I checked /etc/hosts I see that there are in fact 2 entries for the "pve01" unqualified hostname
1.2.3.4 pve01.foobar.xyz pve01 192.168.20.31 pve01.baz pve01Like I said, I deleted the Host Override, confirmed that it was completely gone from /etc/hosts and then re-added it. But again it puts back the line:
1.2.3.4 pve01.foobar.xyz pve01Maybe I'm not on the right snapshot??
-
Oh, misremembered where I pushed that. It's in 2.4 only, as 2.3.2 has minimal time for baking in snapshots and I'm thinking that's likely going to trigger some regression in some edge case.
You can apply the diffs from the two commits on this ticket.
https://redmine.pfsense.org/issues/6064https://redmine.pfsense.org/projects/pfsense/repository/revisions/f1db82aca3f260921ce0c5f71ff3a93149ffebc0/diff/src/etc/inc/unbound.inc
https://redmine.pfsense.org/projects/pfsense/repository/revisions/0fa68840504f6866901e0d02819d43a3ce9f9578/diff/src/etc/inc/system.inc -
Ok thanks again.
Just to clarify, the correct way to do what you are suggesting:
- Install System_Patches package
- create 2 patches, reference the following 2 commits:
f1db82aca3f260921ce0c5f71ff3a93149ffebc0 0fa68840504f6866901e0d02819d43a3ce9f9578 ```3) Apply I did this and it seemed to work….. just making sure also......How can we begin testing 2.4? -
Yes, that's correct.
We'll have 2.4 snapshots out before too long, then we'll have a board up here for testers.
-
Just wanted to report back, been running that patch with no ill effects for just about a week now. Has been working fine.
edit: Been well over a month now, running those patches and they are not causing any problems at all for me. Not sure how far off 2.4 is but it would definitely be nice to see these committed for 2.3.3.
