Cannot resolve a single domain??
-
Hello all - I've resisted posting for weeks now but I have finally exhausted my troubleshooting abilities.
config details:
2.4.5 stable release
IPV4 throughout
unbound resolve only (nothing in general DNS servers, no override DNS, static WAN IP)
all resolution in LAN and on firewall (diag->DNSlookup) works as expected except one domain we'll call x.unresolve.com for this example. It should be noted that x.unresolve.com is hosted by AWS/route53 and when resolving properly, returns a pair of 10.x.x.x address as designed (temp solution behind VPN)troubleshooting thus far:
I can resolve external nameservers (nslookup x.unresolve.com 8.8.8.8) and it returns the pair of 10.x.x.x IPs (good)
I can see in status->DNSResolver that it identifies an IPV4 resolver 209.x.x.x for the unbound.com domain, an AWS resolver (good)
I can nslookup x.unresolve.com 209.x.x.x from a machine on LAN or on firewall CLI and it returns the two 10.x.x.x IPs properly from machine on LAN (good)
I use diagnostic->DNSlookup x.unresolve.com and it fails asking 127.0.0.1 (could not be reached)
I have disabled block private and bogon networks on the WAN interface - does not helpMy local rfc1918 space is 192.168.x.x so no collision there (besides, I'm just asking for resolution from unbound). I turned up verbosity on the resolver but am not seeing anything. Any suggestions/pointers would be greatly appreciated! Thanks!
-
@trouserless said in Cannot resolve a single domain??:
returns a pair of 10.x.x.x address as designed
rebind protection will not allow that to resolve or be an answer if forwarded. You would have to disable rebind protection for that domain if you want.
https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html
-
Thank you @johnpoz this was exactly the problem. After reading up on the rebind attack I'll accelerate this temp solution and implement it properly so that I can re-enable it - I can see the logic there.
Is there a reason this is broken out separately from DNS/unbound resolver section in the UI (vs. system->advanced)?
Thanks again - I truly appreciate this
-
Well you can disable rebind completely in the gui, just not under unbound. But for specific domains that you might want to set as private.. I would assume they allow for more free form entry with the option box.