Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Domain override broken since 2.4.4 p2

    Scheduled Pinned Locked Moved DHCP and DNS
    16 Posts 4 Posters 921 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GrimsonG
      Grimson Banned
      last edited by

      You should never use .local as this will conflict with mDNS and can cause issues. pfSense does actually warn you about that in the general settings:
      domain settings.jpg

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Yeah not a fan of that myself, but looks like his not just using single lable .local, but mydomain.local

        But yeah apple broke use of tld .local for everyone ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        GrimsonG 1 Reply Last reply Reply Quote 0
        • GrimsonG
          Grimson Banned @johnpoz
          last edited by

          @johnpoz said in Domain override broken since 2.4.4 p2:

          Yeah not a fan of that myself, but looks like his not just using single lable .local, but mydomain.local

          As long as it ends in .local it will conflict.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Yeah if he is a apple user he could have problems. I agree it's a BAD choice to use.. But still not sure exactly what he has setup, because of the mydomain.local.mynet cname?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            GrimsonG 1 Reply Last reply Reply Quote 0
            • GrimsonG
              Grimson Banned @johnpoz
              last edited by

              @johnpoz said in Domain override broken since 2.4.4 p2:

              Yeah if he is a apple user he could have problems.

              Windows 10 has mDNS support included per default in it's newer builds too.

              Back to the OP: Post the details your DNS config, as longs as it's all about internal domains it shouldn't be a problem.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Not in mine - I turn that shit off right out of the box ;) hehehe

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • L
                  luas
                  last edited by

                  Hi, thanks for your elaborate response!
                  Yes, mydomain.local was for obfuscation. In detail, we have two subnets:
                  192.168.96.0/20 (.mynet) with a couple of clients which are allowed to access subnet2:
                  192.168.0.1/24 (.mydomain.local) - This subnet contains a Windows domain, and 192.168.0.10 is one of its DNS servers.

                  I agree that .mydomain.local.mynet looks confusing; I guess that pfsense adds .mynet because I entered it in System>General Setup>Domain. However, this has done no harm in the past. It is not an issue as long as domain override works.

                  @johnpoz said in Domain override broken since 2.4.4 p2:

                  So your wanting to lookup myserver.mydomain.local - which is a cname that points to
                  myserver.mydomain.local.mynet
                  Do you have an override for that, if not then your going to get a NX since I highly doubt that would resolve on the public net, etc.

                  I have a domain override for mydomain.local, yes. At this very moment, it is working again after a 2 hour outage:

                  Mar 18 17:37:38	unbound	24418:0	info: validation success myserver.mydomain.local.mynet. CNAME IN
Mar 18 17:37:38	unbound	24418:0	info: validate(nxdomain): sec_status_secure
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local.mynet. CNAME IN
Mar 18 17:37:38	unbound	24418:0	debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 17:37:38	unbound	24418:0	info: finishing processing for myserver.mydomain.local.mynet. CNAME IN
Mar 18 17:37:38	unbound	24418:0	info: resolving myserver.mydomain.local.mynet. CNAME IN
Mar 18 17:37:38	unbound	24418:0	debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local.mynet. CNAME IN
Mar 18 17:37:38	unbound	24418:0	debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
Mar 18 17:37:38	unbound	24418:0	debug: cache memory msg=2625586 rrset=4532884 infra=2576142 val=176232
Mar 18 17:37:38	unbound	24418:0	info: validation success myserver.mydomain.local. CNAME IN
Mar 18 17:37:38	unbound	24418:0	info: validate(nxdomain): sec_status_secure
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local. CNAME IN
Mar 18 17:37:38	unbound	24418:0	debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 17:37:38	unbound	24418:0	info: finishing processing for myserver.mydomain.local. CNAME IN
Mar 18 17:37:38	unbound	24418:0	info: resolving myserver.mydomain.local. CNAME IN
Mar 18 17:37:38	unbound	24418:0	debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local. CNAME IN
Mar 18 17:37:38	unbound	24418:0	debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
Mar 18 17:37:38	unbound	24418:0	debug: cache memory msg=2625586 rrset=4532884 infra=2576142 val=176232
Mar 18 17:37:38	unbound	24418:0	info: validation success myserver.mydomain.local.mynet. AAAA IN
Mar 18 17:37:38	unbound	24418:0	info: validate(nxdomain): sec_status_secure
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local.mynet. AAAA IN
Mar 18 17:37:38	unbound	24418:0	debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 17:37:38	unbound	24418:0	info: finishing processing for myserver.mydomain.local.mynet. AAAA IN
Mar 18 17:37:38	unbound	24418:0	info: resolving myserver.mydomain.local.mynet. AAAA IN
Mar 18 17:37:38	unbound	24418:0	debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local.mynet. AAAA IN
Mar 18 17:37:38	unbound	24418:0	debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
Mar 18 17:37:38	unbound	24418:0	debug: cache memory msg=2625317 rrset=4532884 infra=2576142 val=176232
Mar 18 17:37:38	unbound	24418:0	info: validation success myserver.mydomain.local. AAAA IN
Mar 18 17:37:38	unbound	24418:0	info: validate(nxdomain): sec_status_secure
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local. AAAA IN
Mar 18 17:37:38	unbound	24418:0	debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Mar 18 17:37:38	unbound	24418:0	info: finishing processing for myserver.mydomain.local. AAAA IN
Mar 18 17:37:38	unbound	24418:0	info: resolving myserver.mydomain.local. AAAA IN
Mar 18 17:37:38	unbound	24418:0	debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
Mar 18 17:37:38	unbound	24418:0	info: validator operate: query myserver.mydomain.local. AAAA IN

                  The response to the command given above slightly changed:

                  [2.4.4-RELEASE][admin@pfSense.zeggnet]/root: unbound-control -c /var/unbound/unbound.conf lookup myserver.mydomain.local
The following name servers are used for lookup of myserver.mydomain.local.
forwarding request:
Delegation with 0 names, of which 0 can be examined to query further addresses.
It provides 1 IP addresses.
192.168.0.10            expired, rto 29307524 msec, tA 0 tAAAA 0 tother 0.

                  Does this "expired" have to bother me? (anyway this is the response I get while it's functional)

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    And no where do I see unbound actually talking to 0.10

                    As to working... You sure your clients are just asking it directly... Have seen it 1000 times, client has multiple NS listed..

                    if you Level 3 of logging and unbound actually asks and gets a response it would be logged. See my tests above.

                    If your clients are in the .mynet domain, then yeah they will add that to search suffix, etc..

                    Here is what I can tell you for sure - it works, its works well, it works easy... You need to figure out what you have wrong to why its not working.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • L
                      luas
                      last edited by

                      I agree that your responses look different, pointing out the nameserver talking to. No idea why this is not pointed out in my logs, even though setting the same log level as you did.
                      I tried to increase log level to 4 or 5, but this seems to overwhelm my machine (CPU going up and logs no longer recorded)

                      @johnpoz said in Domain override broken since 2.4.4 p2:

                      You sure your clients are just asking it directly

                      For troubleshooting, I'm currently using Diagnostics>DNS lookup, so client configuration should not be an issue.

                      One last thing that confuses me: what exactly does pfsense with multiple DNS servers configured?
                      98ebd03c-aae3-4207-91df-9973b2c90079-image.png
                      This request for an internal server should be answered by 127.0.0.1. It seems that externals servers are still queried (one per WAN line) and I won't get a response before all of them have answered. Shouldn't it be so that requests for internal domains should stay internal? Could this be part of the answer?

                      Does it make sense to post my complete DNS configuration here?

                      Again, thanks for your support!

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Looks like your forwarding, or have dns setup in general, or letting get dns from dhcp..

                        If your using resolver.. You should have nothing setup in general for dns, you should make sure that you do not allow dns from dhcp.

                        And yeah when you do diag like that all you should see is loopback 127.0.0.1

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • L
                          luas
                          last edited by luas

                          I agree by now that this is not a "domain override" issue, because I stumbled across a different problem these days.
                          We use DNSBL, which seems to use its own certificate to break SSL encryption. As far as I can see, this certificate was generated during installation and worked for a couple of weeks, until it was suddenly rejected by browsers ("Certificate could not be verified as the issuer is unknown").
                          As a quick solution, I disabled DNSBL and we haven't had domain override issues since then. I'm glad I didn't do a downgrade to 2.4.4 p1 :)

                          So, this issue can happily be considered as solved, and I'll open a new request for the DNSBL thing...

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.