Is it possible to query domain name using outside DNS if using split DNS with Unbound?
-
I tried replying to your thread but my post was flagged as spam... what give??
-
No idea what you were trying to post?
-
Ok basically I had everything typed out and formatted but that was flagged as spam.
I created the experiment you had above with the cnn override.
***Due to spam filter on these forums I can't type the actual www address below so to bypass spam filter --- c/n/n=cnn -- sorry about confusion.
In both cases of query (dig www.c/n/n.com and dig @8.8.8.8 www.c/n/n.com) it resolved to the local IP address assigned in the override.
I've tested this from multiple servers running in different VM's on the LAN and its the same for all.
You stated something about dns interception however this has to be at the pfsense level since anything upstream to this would not resolve to the host override. Is there anywhere else in pfsense where the dns would be getting intercepted? I don't have any firewall rules for port 53 in any of the rulesets. I'm really confused.
I've also ran the same queries above directly within pfsense -- the queries actually resolve correctly as per your example.
-
@kevdog said in Is it possible to query domain name using outside DNS if using split DNS with Unbound?:
I tried replying to your thread but my post was flagged as spam... what give??
Could that be reputation < 5 ?
/Bingo
-
pfsense does not do dns redirection unless you specifically set it up.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
What do you have in front of pfsense? Some soho router doing redirection pointing to pfsense for dns? Are you connected wireless to some wifi router behind pfsense, doing redirection?
Or wired to some soho router doing it?
This isn't rocket since - pfsense run a dns server. Unbound out of the box.. If you create a record locally for www.domain.tld that pints to 192.168.1.100 or something - nothing else would resolve that unless pfsense is asked for that.. If your resolving local IP, then someone you asked pfsense.. How you have your network setup I do not know..
-
Hey thanks for at least pointing things out to me -- I really appreciate it since it really made me examine my setup a lot closer.
To answer your question directly I have a comcast model that plugs directly into self-built "protectli-type" box. pfsense is virtualized within xcp-ng which works pretty well for home setup.
I think however I found the problem after scratching my head for a really long long time. Within pfsense System->Advanced->Firewall & NAT -> Network Address Translation
NAT reflection mode for port fowards was set to Pure NAT. After disabling this setting, the queries would resolved appropriately. Strange I didn't think about this before.
-
Nat reflection has nothing to do with dns..
Nat reflection would be if you hit your wan IP on port X, and you had a port forward setup to forward port X to ip 192.168.1.100
That has zero to do with how dns would respond if you ask pfsense or not.. Again if you were doing a directed query to 8.8.8.8, pfsense would have zero to do with that conversation, nor would nat reflection.
Unless you had some port forward setup for dns (tcp/upd 53)??
Did you setup port forwarding for dns? Or redirection of dns?
-
-
Why would you setup a rule like that - makes zero sense.. For starter why would anything be hitting your wan but not to any of your firewall IPs?
For the life of me - can not figure out what that rule would do.. There should be nothing hitting your wan on 53, but not directed to your wan IP.. What are you wan firewall rules?
But yes if some traffic came into your wan interface for say 8.8.8.8 (not a firewall IP) it would be forwarded to loopback.. If your wan firewall rules allowed it, or some floating rule did. And then yes that would return whatever host override you had setup. etc..
-
Yea - I get it. They don't make much sense -- I've definitely had to either drop some of the NAT and Firewall rules for not making sense. Bottom line was the NAT rules was redirecting all port 53 requests to pfsense which was intercepting all the outgoing traffic.
Thanks a lot for your help on this issue.
