Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Domain Override - Driving me crazy

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 4 Posters 904 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mixhali
      last edited by

      I have a rather simple network config or which I require dns for a particular domain to be resolved by a server acccesible via my gateway router. I need user 1 to be able to resolve hosts on the domain mycompany.local. Sounds simple and I have done this before exactly the same way however it is not working on my current config

      b6c67584-4403-4f3c-aafe-a8cda6aee67b-image.png

      I have configured a domain override on PFSense1 as follows:
      8dea3aab-48a6-4882-b453-665626ae68a7-image.png

      From Pfsense CLI I can connect to 192.168.25.21 and resolve phone.mycompany.local using nslookup. So connectivity to the remote DNS server is not an issue

      However when I try from user pc I get non-existent domain.

      I've checked the conf files and they appear to be correct
      9fe64f7b-e9fa-484d-b93a-4695922a8cf6-image.png

      b97505d9-128c-41d8-bb5d-e998b23fb30c-image.png

      PfSense version is 2.4.4.p3

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        Sounds like DNS is not configured properly on the USER1 PC.
        Show us the network config of the PC, and screenshots of that not working.

        –A.

        1 Reply Last reply Reply Quote 0
        • B
          brians
          last edited by brians

          In DNS Resolver select only LAN in Outgoing Network Interfaces instead of All.

          However, I still cannot get this reliably working and I sometimes have to restart the unbound service.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.

            https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

            Exactly how you do it for plex..

            custombox.jpg

            edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..

            he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            B 1 Reply Last reply Reply Quote 0
            • B
              brians
              last edited by

              I also found disabling DNSSEC fixes issue for me.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                If your "forwarding" then yeah dnssec is pointless! If where you forward to does dnssec, then it does dnssec without having to ask.. If it doesn't do it - asking for it accomplishes nothing! The only time doing dnssec makes sense is if your doing your own resolving - which is what unbound does out of the box.

                If your forwarding then yes turning off dnssec makes sense..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  brians
                  last edited by

                  Yes makes sense but the checkbox to enable (default) dnssec seems to make my system not work - two different installations that I have domain overrides on on will not resolve to an external Windows DNS server across an IPSec tunnel unless I have it disabled. Took me a while troubleshooting this afternoon to determine this was the reason. One would think that enabling it means that it would work only if available but I suppose some servers may not implement same way or break entirely if this is set - never bothered to look at the windows DNS servers and will do that eventually to see if dnssec is enabled on them.

                  1 Reply Last reply Reply Quote 0
                  • B
                    brians @johnpoz
                    last edited by brians

                    @johnpoz said in Domain Override - Driving me crazy:

                    If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.

                    https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

                    Exactly how you do it for plex..

                    custombox.jpg

                    edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..

                    he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.

                    I was experimenting with this as to why a domain override was always working for me to resolve private addresses when I had the global option disabled in advanced, and did not have a custom option set for domain.

                    I found out, by looking at /var/unbound/unbound.conf is that unbound automatically adds each domain forward you enter for you in the # DNS Rebinding section with a private-domain. I guess it presumes those DNS servers you forward to are authentic. If I edit the file and restart unbound it seemed to keep re-adding it.

                    Therefore there is no need to have custom option set if you have domain forward listed.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.