Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Authoritative DNS Forwarder (dnsmasq) Problem

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      garthk
      last edited by

      Running 2.1.4 x64. I am attempting to make the PFS dnsmasq authoritative for my local domain by adding the following entries to the Advanced section of the config form:

      log-queries
      local=/phony.com/
      auth-server=pfw.phony.com,igb0
      host-record=pfw.phony.com,10.20.30.1
      auth-zone=phony.com,10.20.30.0/24
      mx-host=phony.com,mailsvr.phony.com,1

      When added, I can nslookup  the domain and MX successfully so it appears to be working. Prob is it stops resolving external addresses like www.google.com and dig shows "WARNING: recursion requested but not available". When the above lines are removed, it starts working again. Probably unrelated, I've noticed that under General Settings, 127.0.0.1 is never listed as a DNS server regardless if the "Do not use" checkbox is unchecked or if the above lines are added to the Advanced section or not.

      I've done lots or searching and reading but have found no solution.

      What am I missing?

      Thanx,
      Garth

      1 Reply Last reply Reply Quote 0
      • V
        vindenesen
        last edited by

        A quick google search on authoritative DNS server (was unsure about its definition), reveals that an authoritative DNS server only responds to requests about zones configured on the dns server (unless configured otherwise). In other words, it's probably unable to resolve www.google.com, because it doesn't know about it.

        Could be that this is your problem.

        http://superuser.com/questions/370105/what-does-authoritative-dns-server-mean

        Support the project by buying a Gold Subscription at https://portal.pfsense.org
        Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

        1 Reply Last reply Reply Quote 0
        • G
          garthk
          last edited by

          Understood but I have specified Forwarders in the General Setup and checked Query DNS Servers sequentially in the config for the DNS Forwarder (which mentions that the forwarders are specified in the General Setup) so if it can't find an address locally, it should try the next DNS server in the list. Right?

          Still not sure what I'm missing.

          Thanx for the reply,
          Garth

          1 Reply Last reply Reply Quote 0
          • V
            vindenesen
            last edited by

            I thought it only contacted the next DNS server in the list if it was unable to contact the first (timeout etc.). In this case, it is able to contact the first DNS server, and therefore it doesn't try the next one. That's my theory atleast :)

            Support the project by buying a Gold Subscription at https://portal.pfsense.org
            Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

            1 Reply Last reply Reply Quote 0
            • G
              garthk
              last edited by

              I'll not disagree but that raises the next question. How do I specify where an ADNS server is supposed to look if the address is not local? I've seen discussions where there is an /etc/resolv.dnsmasq which contains the IP addresses of forwarding nameservers. Is this required beyond listing them in General Setup?

              Thanx,
              Garth

              1 Reply Last reply Reply Quote 0
              • V
                vindenesen
                last edited by

                Just tested this in my test environment by adding the same advanced config (changed the interface). Exactly the same happens here, it will now only resolve the records added in the advanced config, it doesn't forward to the upstream servers. Have read up on dnsmasq-manual, it should have forwarded the queries, but it doesn't. Could it be a bug? Also tested adding server=8.8.8.8 to the advanced config, didn't do much good.

                Edit: May have misunderstood the manual. Also, when I removed "auth-server=pfw.phony.com,igb0" from the config, I was able to resolve both pfw.phony.com and other DNS names.

                Support the project by buying a Gold Subscription at https://portal.pfsense.org
                Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

                1 Reply Last reply Reply Quote 0
                • G
                  garthk
                  last edited by

                  I removed that same line and it started working here as well. Apparently using that config directive indicates that dnsmasq should not forward if the query is unresolved.

                  Thanx Much,
                  Garth

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.