Don't forward without domain

AndrewZ

I'm wondering if it is possible [with unbound] to stop forwarding requests without domain.
Here is the example - local PC is sending query and receiving an undesired response:

192.168.1.2	192.168.1.1	DNS	62	Standard query 0x0003 A gw
192.168.1.1	192.168.1.2	DNS	118	Standard query response 0x0003 A gw SOA gw01.dns.pt

Now with another name

192.168.1.2	192.168.1.1	DNS	64	Standard query 0x0004 A brix
192.168.1.1	192.168.1.2	DNS	139	Standard query response 0x0004 No such name A brix SOA a.root-servers.net
192.168.1.2	192.168.1.1	DNS	68	Standard query 0x0005 A brix.lan
192.168.1.1	192.168.1.2	DNS	84	Standard query response 0x0005 A brix.lan A 192.168.1.6

After "No such name" client PC is adding default domain "lan", sending another query and receiving a proper response.

Another question - is it possible to force Unbound to add default domain to all the queries it receives without domain?

JKnott

The only way to do that would be to have something that does a DNS lookup on everything heading out.  As for your second question, I'm not sure what you're looking for?  A fully qualified domain name has 2 parts, a host name and a domain name.  Do you want to make those up for addresses that don't resolve?

johnpoz

Why would you client ask for brix unless the user put in just brix…. Have this user use brix.lan from the git go ;)  Use of single label normally not a good idea.. your local domain should be say something.tld

dnsmasq has an option domain-needed I am not aware of sim option in unbound..

You could use the forwarder which is dnsmasq and set this option..  You could use dnsmasq before pfsense to filter on this, say pihole or something.

AndrewZ

Regarding my #2 - I was thinking about adding "search domain" similar to what we have on the clients, i.e. when Unbound receiving non-FQDN query (no dots) it should first add the default domain, when try to resolve locally.

johnpoz

a non domain query is not valid its not going to resolve locally.. Seach suffix is only going to be added on second query, if your client only asks host - that is what will be queried for.. tell you clients not to query just host and always use host.domain and you problem goes away ;)

AndrewZ

@johnpoz:

dnsmasq has an option domain-needed

Exactly. This is what I had in my mind, I was using it on my openwrt travel box in the past.

Definitely it will be not a big deal to always use host.domain, today it just popped up during some troubleshooting where it was just quicker to type ping gw

Thanks for all the suggestions!