Domain Override - Driving me crazy

mixhali

I have a rather simple network config or which I require dns for a particular domain to be resolved by a server acccesible via my gateway router. I need user 1 to be able to resolve hosts on the domain mycompany.local. Sounds simple and I have done this before exactly the same way however it is not working on my current config

I have configured a domain override on PFSense1 as follows:

From Pfsense CLI I can connect to 192.168.25.21 and resolve phone.mycompany.local using nslookup. So connectivity to the remote DNS server is not an issue

However when I try from user pc I get non-existent domain.

I've checked the conf files and they appear to be correct

PfSense version is 2.4.4.p3

awebster

Sounds like DNS is not configured properly on the USER1 PC.
Show us the network config of the PC, and screenshots of that not working.

brians

In DNS Resolver select only LAN in Outgoing Network Interfaces instead of All.

However, I still cannot get this reliably working and I sometimes have to restart the unbound service.

johnpoz

If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.

https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

Exactly how you do it for plex..

edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..

he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.

brians

I also found disabling DNSSEC fixes issue for me.

johnpoz

If your "forwarding" then yeah dnssec is pointless! If where you forward to does dnssec, then it does dnssec without having to ask.. If it doesn't do it - asking for it accomplishes nothing! The only time doing dnssec makes sense is if your doing your own resolving - which is what unbound does out of the box.

If your forwarding then yes turning off dnssec makes sense..

brians

Yes makes sense but the checkbox to enable (default) dnssec seems to make my system not work - two different installations that I have domain overrides on on will not resolve to an external Windows DNS server across an IPSec tunnel unless I have it disabled. Took me a while troubleshooting this afternoon to determine this was the reason. One would think that enabling it means that it would work only if available but I suppose some servers may not implement same way or break entirely if this is set - never bothered to look at the windows DNS servers and will do that eventually to see if dnssec is enabled on them.

brians

@johnpoz said in Domain Override - Driving me crazy:

If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.

https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

Exactly how you do it for plex..

edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..

he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.

I was experimenting with this as to why a domain override was always working for me to resolve private addresses when I had the global option disabled in advanced, and did not have a custom option set for domain.

I found out, by looking at /var/unbound/unbound.conf is that unbound automatically adds each domain forward you enter for you in the # DNS Rebinding section with a private-domain. I guess it presumes those DNS servers you forward to are authentic. If I edit the file and restart unbound it seemed to keep re-adding it.

Therefore there is no need to have custom option set if you have domain forward listed.