DNS Stalling?
-
Thanks
As for the first error posted. I did find a answer to that one for anyone else looking. The Outgoing interfaces for DNS needs to be set to "ALL". Incoming can be set to your explicit local LAN interfaces. Whatever they may be.
-
"The Outgoing interfaces for DNS needs to be set to "ALL"."
No it doesn't.. I have zero issues with my unbound and the only outbound interface is WAN
-
Interesting, because when I tried to do that the error came back. When I set to ALL it stopped spamming errors
-
Did you see this Thread
https://forum.pfsense.org/index.php?topic=137656.0
Do you have link local also selected when your selecting wan?
-
Yep, which is why I re-set the outgoing interface back to the default "All" which shouldn't allow any internal quiries to go outside the firewall. The firewall will answer what it can and inquire about anything it doesn't know while not answering any DNS inquiries publically.
Since making the changes to "All" on the outgoing and only selecting what networks I want the DNS to answer to on the "Network Interfaces", the logs stopped spamming.Anyhow, point is, both problems have been solved, though posted in the same thread they have been figured out.
-
"back to the default "All" which shouldn't allow any internal quiries to go outside the firewall."
What? How is that?
Did you change your zone type? The zone type of transparent would mean if you ask for something that is in your internal domain and there is no record, it will query upstream for it.
-
Exactly! and maybe I'm not being transparent myself, so being a picture is worth a thousand words here you go…
![Screenshot from 2018-02-24 00-43-32.png](/public/imported_attachments/1/Screenshot from 2018-02-24 00-43-32.png)
![Screenshot from 2018-02-24 00-43-32.png_thumb](/public/imported_attachments/1/Screenshot from 2018-02-24 00-43-32.png_thumb) -
So your transparent… So if you query for something.yourdomain.tld and there is no something.yourdomain.tld then yes unbound will look for that upstream..
If you do not want unbound to look upstream for something when there is NO something then you need to change your zone type to static..
ah where your problem is your listening on link local... Why? You stated your not even using ipv6... Uncheck those on your listen side and then set your outgoing to wan only and bet your log spam goes away.
-
wouldn't that also keep DNS from inquiring about web domains?
-
huh?? No static is only for your local domain!!
Look at unbound conf doc
https://www.unbound.net/documentation/unbound.conf.htmlstatic
If there is a match from local data, the query is answered.
Otherwise, the query is answered with nodata or nxdomain.
For a negative answer a SOA is included in the answer if
present as local-data for the zone apex domain.transparent
If there is a match from local data, the query is answered.
Otherwise if the query has a different name, the query is
resolved normally. If the query is for a name given in
localdata but no such type of data is given in localdata,
then a noerror nodata answer is returned. If no local-zone
is given local-data causes a transparent zone to be created
by default.
-
Interesting. I'll toy with it, can't say I completely understand it.
-
So here look set to static I ask for something.local.lan, which there is no record of that I get back this..
dig something.local.lan
; <<>> DiG 9.11.2-P1 <<>> something.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21582
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;something.local.lan. IN A;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Feb 24 03:18:29 Central Standard Time 2018
;; MSG SIZE rcvd: 48It sends the NX… And thing else happens... Now if change the zone to transparent which is the default.. You get this instead..
dig something.local.lan
; <<>> DiG 9.11.2-P1 <<>> something.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37322
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;something.local.lan. IN A;; AUTHORITY SECTION:
. 3600 IN SOA ** a.root-servers.net**. nstld.verisign-grs.com. 2018022400 1800 900 604800 86400;; Query time: 179 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Feb 24 03:19:44 Central Standard Time 2018
;; MSG SIZE rcvd: 123It tried to find that by normal resolve.. You can see roots sent back hey buddy sorry no .lan network… If you would sniff on wan you would see it asking for that.. I did query for othersomething since something was cached as neg and wouldn't go ask again until that neg ttl expired..