Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense DNS resolver (Unbound) - aggressive-nsec option

    Scheduled Pinned Locked Moved DHCP and DNS
    11 Posts 4 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      serbus
      last edited by

      Hello!

      Maybe...

      server:aggressive-nsec: yes

      John

      Lex parsimoniae

      1 Reply Last reply Reply Quote 0
      • T
        TDJ211
        last edited by TDJ211

        I tried that, and DNS resolver will not resolve.

        EDIT: My syntax was wrong, didnt realize I had to add "server:" for each individual option. Also, since I have pfBlocker running, gotta give Unbound some time to load everything up. Thanks!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          You do not need more than one server: statement

          agrnec.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          T 1 Reply Last reply Reply Quote 0
          • dragoangelD
            dragoangel
            last edited by dragoangel

            @johnpoz by the way this will not broke insecure subdomains resolving?

            Offtopic: pfSense need update documentation about Python module in Unbound.
            I create script with Filer and sh script to reload Unbound on change of this python script to:

            • override ::1 and 127.0.0.1 for list of domains, e.g: dev, localdomain, etc for local development
            • remove aaaa for list of domains.

            This can be as example in docs?

            Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
            Unifi AP-AC-LR with EAP RADIUS, US-24

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Do you have a example we could test against?

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              dragoangelD 1 Reply Last reply Reply Quote 0
              • dragoangelD
                dragoangel @johnpoz
                last edited by dragoangel

                @johnpoz I can check aggressive-nsec out of working hours and reply here.
                In short: my domain has enabled DNSSEC but due IPv4 🙈 I had to have private SplitDNS resolving which of course not signed by DNSSEC. So I have exclusions for subdomains in my domain that allows insecure resolving internally, like:

                server:
# Allow private resolving for Internal domains:
private-domain: "sub1.example.com"
private-domain: "sub2.example.com"

# Allow insecure resolving for Internal domains:
domain-insecure: "sub1.example.com"
domain-insecure: "sub2.example.com"

# Forwarding sub1.example.com
forward-zone:
    name: "sub1.example.com."
    forward-ssl-upstream: no
    forward-addr: 2001:470:abc::1@53
    forward-addr: 2001:470:abc::2@53
    forward-first: yes
    forward-no-cache: no
    
# Forwarding sub2.example.com
forward-zone:
    name: "sub2.example.com."
    forward-ssl-upstream: no
    forward-addr: 2001:470:abc::1@53
    forward-addr: 2001:470:abc::2@53
    forward-first: yes
    forward-no-cache: no

                I curious how this aggressive option will work in this case =)

                Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                Unifi AP-AC-LR with EAP RADIUS, US-24

                1 Reply Last reply Reply Quote 0
                • T
                  TDJ211 @johnpoz
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • dragoangelD
                    dragoangel
                    last edited by dragoangel

                    @johnpoz from my test looks like it working. Maybe add Redmine task to add check-box option in advanced setting for it?

                    Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                    Unifi AP-AC-LR with EAP RADIUS, US-24

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      You can always add a feature request sure.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      dragoangelD 1 Reply Last reply Reply Quote 0
                      • dragoangelD
                        dragoangel @johnpoz
                        last edited by dragoangel

                        @johnpoz https://redmine.pfsense.org/issues/10449 someone was more faster then I =D

                        Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                        Unifi AP-AC-LR with EAP RADIUS, US-24

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.