Domain overrides no more working since 2.4.3

nekopep

Hello,

I have a DNS resolver set up to forward to quad9 dns request and overrides some request related to our AD domain.

It was working pretty until I upgraded to 2.4.3 + I did some more changes:

Add HA with CARP setup (working well so looks like has no impact)
Perhaps I activated DNSSEC but disabling it does not work better

What I did to test, on firewall itself and also on a local machine:

[2.4.3-RELEASE][admin@pfSense_master.domain.home]/root: ping domain.home
^C

[2.4.3-RELEASE][admin@pfSense_master.domain.home]/root: dig domain.home

; <<>> DiG 9.11.2-P1 <<>> domain.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8424
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.home.			IN	A

;; Query time: 285 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 15 00:04:02 CEST 2018
;; MSG SIZE  rcvd: 39

[2.4.3-RELEASE][admin@pfSense_master.domain.home]/root: cat /var/unbound/domainoverrides.conf
forward-zone:
	name: "domain.home"
	forward-addr: 192.168.20.1

Usually pinging domain.home was working.

I've checked every forum entry I could without success :/
Any idea on what I could test to debug this? Any logs to check?

Attached are my current setup.

Thanks for any help/idea!

dns_options.png_thumb

domain_overrides.png_thumb

host_overrides.png_thumb

nekopep

Does Domain overrides has some incompatibilities with some other settings?
Does anybody has some idea of tests I could do to try to workaround this?

Thx for any help!

johnpoz

Well lets see your query to 192.168.20.1 that responds for domain.home.

nekopep

Hi @johnpoz,
Do you want dig output (query to domain.home)?
Please see below, perhaps I misunderstood your question?

[2.4.3-RELEASE][admin@pfSense_master.domain.home]/root: dig domain.home

; <<>> DiG 9.11.2-P1 <<>> domain.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8424
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.home.			IN	A

;; Query time: 285 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 15 00:04:02 CEST 2018
;; MSG SIZE  rcvd: 39

johnpoz

that is not to 192.168.20.1

That just saying it failed.

dig @192.168.20.1 domain.home

That would show 192.168.20.1 answer... If that fails then its not pfsense.

You do have it set allow for rfc1918 right.. Since forwarding domain override that returns rfc1918 would be a rebind.

https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

nekopep

Ok, here is the command:

[2.4.3-RELEASE][admin@pfSense_master.domain.home]/root: dig @192.168.20.1 domain.home

; <<>> DiG 9.11.2-P1 <<>> @192.168.20.1 domain.home
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10910
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: eaa7302551628e59 (echoed)
;; QUESTION SECTION:
;domain.home.			IN	A

;; ANSWER SECTION:
domain.home.		600	IN	A	192.168.20.1

;; Query time: 1 msec
;; SERVER: 192.168.20.1#53(192.168.20.1)
;; WHEN: Mon Jun 04 13:52:46 CEST 2018
;; MSG SIZE  rcvd: 67

So seems it is a pfsense issue, since I got an answer.
Now, I'll check your link, I was not aware of rebinding protections.

nekopep

@johnpoz

I also tryed your link:

server:include: /var/unbound/pfb_dnsbl.*conf
server:
private-domain: "domain.home"

Without success.
Also if I remove all Host overrides then I can add in the unbound server options:

#server:
#local-zone: "domain.home" redirect
#local-data: "domain.home 86400 IN A 192.168.20.1"

And in this case it look like it works BUT id do not have anymore the local hosts resolution :/

johnpoz

I am in the process of firing up a 2k12r2 server in VM to be able to show how it works for PTR zones as well in another thread. F there is a lot of updates after a clean install on windows ;)

Its about done updating - I think like the 4th or so go around.. I will try and fire dns up on it later today and we can walk through simulating what your doing and also the PTR zones that the other user is having issues with.

Give me a bit have to run to work soon.. But will be able to finish it up from there. And post some screenshots and settings

edit: Do you have unbound able to use the local interface for queries - that is another common mistake, you have to allow unbound to use a local interface to get to your local server.

nekopep

Here is my config:

-> Do you have unbound able to use the local interface for queries -> How can I check this?

Well done! I've set Outgoing Network interface to all and it is working!
Thanks a lot for the idea!

I'll check a more restrictive setting.

Thanks a lot anyway!

nekopep

@johnpoz
Hi johnpoz,
I added CARP LAN + Localhost to Outgoing Network Interfaces as you suggested, and now everything working perfectly!

Thus, + server: private-domain: "domain.home" just in case in advanced options :)

Thanks a lot!

johnpoz

There you go then ;) Yup kind of hard to query local dns when unbound can not talk on that network its located on ;)

Good thing too since VM is still in progress.. Ran out of disk space - was like why and the F is this update taking so long to download.. So had to expand the vm disk... heheheh

Then I got side tracked with beer drinking... Now its running disk cleanup.. Deleting like 3GB of "old updates"...