LAN as a LAGG
-
I cannot get Unbound to resolve a local domain, normal requests work fine. I entered the local DNS server (dnsmasq on a Pi) in the Domain Overrides section. It resolves successfully for maybe a minute and then stops. I am not sure but I suspect an issue with pfBlockerNG.
Martin
-
It still resolves other addresses OK?
Does it just show no response for that if you test in Diag > DNS Lookup?
Do you see states open to the pi from pfSense when it fails?
Anything logged on the pi?
Anything in the pfSense resolver log?
Steve
-
@stephenw10 said in LAN as a LAGG:
It still resolves other addresses OK?
Yes, all other addresses are resolved correctly.
Does it just show no response for that if you test in Diag > DNS Lookup?
No response! "Host "labap.local.lab" could not be resolved."
Do you see states open to the pi from pfSense when it fails?
No, no states when it fails.
Anything logged on the pi?
Nothing unusual
Anything in the pfSense resolver log?
Nothing unusual either (can't post the log, otherwise post is flagged as spam)
Steve
Thanks,
Martin -
Hmm, odd.
If you run a pcap on WAN for port 53 traffic can you see it querying external DNS servers for that domain?Steve
-
Yes, it queries the external DNS for the local domain.
After restarting the unbound service, the queries go to the Raspberry Pi but after latest one minute, all queries go to the external DNS server.
Martin
-
Hmm, something must be causing it to do that. Rejecting the config perhps.
That should be logged though. It would at least log Unbound restarting or reloading it's config.
Steve
-
Where can I find this kind of information? I checked the logs but I cannot find anything suspicious.
Martin
-
If it was rejecting the config you would see entries in the resolver and system logs.
Try increasing the logging level on Unbound on the Advanced Settings tab. I would start at 2 and go to 3 if you still don't see anything. At level 3 it logs a lot!
Steve
-
I now get some strange results, after I increased the logging level.
A lookup for "labserver.mgk.local" is logged in unbound:
Feb 11 23:21:43 unbound 7870:0 info: validation success labserver.mgk.lab.mckusch.lab. CNAME INmckusch.local is my productive server AD domain....
Martin
-
Is that correctly a CNAME for that other FQDN?
Using .local for your domain can hit mDNS issues, using something else there would be preferable.
Steve
-
Progress! After some setbacks, several re-installing of pfsense, I narrowed done the issue. Dnsmasq on the Raspberry Pi cannot handle DNSSEC properly. After I unchecked the "Enable DNSSEC Support" in Unbound, pfsense resolves the local domain successfully, every time. Now, I just have to figure out how to fix the Pi....
Thanks Steve for your support!
Martin
-
Ah, nice catch!