DNS Stalling?

johnpoz

"The Outgoing interfaces for DNS needs to be set to "ALL"."

No it doesn't.. I have zero issues with my unbound and the only outbound interface is WAN

Visseroth

Interesting, because when I tried to do that the error came back. When I set to ALL it stopped spamming errors

johnpoz

Did you see this Thread

https://forum.pfsense.org/index.php?topic=137656.0

Do you have link local also selected when your selecting wan?

Visseroth

Yep, which is why I re-set the outgoing interface back to the default "All" which shouldn't allow any internal quiries to go outside the firewall. The firewall will answer what it can and inquire about anything it doesn't know while not answering any DNS inquiries publically.
Since making the changes to "All" on the outgoing and only selecting what networks I want the DNS to answer to on the "Network Interfaces", the logs stopped spamming.

Anyhow, point is, both problems have been solved, though posted in the same thread they have been figured out.

johnpoz

"back to the default "All" which shouldn't allow any internal quiries to go outside the firewall."

What?  How is that?

Did you change your zone type?  The zone type of transparent would mean if you ask for something that is in your internal domain and there is no record, it will query upstream for it.

Visseroth

Exactly! and maybe I'm not being transparent myself, so being a picture is worth a thousand words here you go…


johnpoz

So your transparent… So if you query for something.yourdomain.tld and there is no something.yourdomain.tld then yes unbound will look for that upstream..

If you do not want unbound to look upstream for something when there is NO something then you need to change your zone type to static..

ah where your problem is your listening on link local... Why?  You stated your not even using ipv6... Uncheck those on your listen side and then set your outgoing to wan only and bet your log spam goes away.

Visseroth

wouldn't that also keep DNS from inquiring about web domains?

johnpoz

huh??  No static is only for your local domain!!

Look at unbound conf doc
https://www.unbound.net/documentation/unbound.conf.html

static
                If there is a match from local data, the query  is  answered.
                Otherwise,  the  query  is  answered with nodata or nxdomain.
                For a negative answer a SOA is  included  in  the  answer  if
                present as local-data for the zone apex domain.

transparent
                If  there  is a match from local data, the query is answered.
                Otherwise if the query has a different  name,  the  query  is
                resolved  normally.  If  the  query  is  for a name given in
                localdata but no such type of data  is  given  in  localdata,
                then  a  noerror nodata answer is returned.  If no local-zone
                is given local-data causes a transparent zone to  be  created
                by default.

Visseroth

Interesting. I'll toy with it, can't say I completely understand it.

johnpoz

So here look set to static I ask for something.local.lan, which there is no record of that I get back this..

dig something.local.lan

; <<>> DiG 9.11.2-P1 <<>> something.local.lan                         
;; global options: +cmd                                               
;; Got answer:                                                         
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21582             
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:                                                 
; EDNS: version: 0, flags:; udp: 4096                                 
;; QUESTION SECTION:                                                   
;something.local.lan.          IN      A

;; Query time: 0 msec                                                 
;; SERVER: 192.168.9.253#53(192.168.9.253)                             
;; WHEN: Sat Feb 24 03:18:29 Central Standard Time 2018               
;; MSG SIZE  rcvd: 48

It sends the NX… And thing else happens... Now if change the zone to transparent which is the default..  You get this instead..

dig something.local.lan

; <<>> DiG 9.11.2-P1 <<>> something.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37322
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;something.local.lan.          IN      A

;; AUTHORITY SECTION:
.                      3600    IN      SOA  **  a.root-servers.net**. nstld.verisign-grs.com. 2018022400 1800 900 604800 86400

;; Query time: 179 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Feb 24 03:19:44 Central Standard Time 2018
;; MSG SIZE  rcvd: 123

It tried to find that by normal resolve.. You can see roots sent back hey buddy sorry no .lan network… If you would sniff on wan you would see it asking for that.. I did query for othersomething since something was cached as neg and wouldn't go ask again until that neg ttl expired..