Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Split DNS zone

    Scheduled Pinned Locked Moved DHCP and DNS
    17 Posts 4 Posters 643 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lifeboyL
      lifeboy @Derelict
      last edited by

      @derelict, not that's not quite what I'm asking.

      If I add a host override for a domain (e.g. greentree.systems), then it doesn't return an MX record at all, even though the actual domain out on the public internet does have an MX record.

      So if I ask for the A record I get the override record. If I ask for MX I would like to get the non-override record, but I don't.

      DerelictD 1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @lifeboy
        last edited by

        @lifeboy Do you know how to use dig? Show the dig output.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        lifeboyL 1 Reply Last reply Reply Quote 0
        • lifeboyL
          lifeboy @Derelict
          last edited by

          @derelict, of course...

          My default DNS is pfsense.

          ~# dig greentree.systems

          ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> greentree.systems
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19746
          ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 4096
          ;; QUESTION SECTION:
          ;greentree.systems.		IN	A
          
          ;; ANSWER SECTION:
          greentree.systems.	3600	IN	A	192.168.131.188
          
          ;; Query time: 0 msec
          ;; SERVER: 192.168.131.254#53(192.168.131.254)
          ;; WHEN: Mon Mar 29 11:34:18 SAST 2021
          ;; MSG SIZE  rcvd: 62
          

          The host override record is returned

          ~# dig greentree.systems MX

          ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> greentree.systems MX
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26959
          ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 4096
          ;; QUESTION SECTION:
          ;greentree.systems.		IN	MX
          
          ;; Query time: 0 msec
          ;; SERVER: 192.168.131.254#53(192.168.131.254)
          ;; WHEN: Mon Mar 29 11:34:25 SAST 2021
          ;; MSG SIZE  rcvd: 46
          

          but, no mx record returned

          ~# dig @8.8.8.8 greentree.systems MX

          ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @8.8.8.8 greentree.systems MX
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61736
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 512
          ;; QUESTION SECTION:
          ;greentree.systems.		IN	MX
          
          ;; ANSWER SECTION:
          greentree.systems.	59	IN	MX	10 aspmx2.googlemail.com.
          greentree.systems.	59	IN	MX	10 aspmx3.googlemail.com.
          greentree.systems.	59	IN	MX	5 alt1.aspmx.l.google.com.
          greentree.systems.	59	IN	MX	5 alt2.aspmx.l.google.com.
          greentree.systems.	299	IN	MX	1 aspmx.l.google.com.
          
          ;; Query time: 190 msec
          ;; SERVER: 8.8.8.8#53(8.8.8.8)
          ;; WHEN: Mon Mar 29 11:34:33 SAST 2021
          ;; MSG SIZE  rcvd: 179
          

          Public DNS record has mx

          ~# dig @8.8.8.8 greentree.systems

          ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @8.8.8.8 greentree.systems
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3063
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 512
          ;; QUESTION SECTION:
          ;greentree.systems.		IN	A
          
          ;; ANSWER SECTION:
          greentree.systems.	1798	IN	A	192.64.119.41
          
          ;; Query time: 190 msec
          ;; SERVER: 8.8.8.8#53(8.8.8.8)
          ;; WHEN: Mon Mar 29 11:34:37 SAST 2021
          ;; MSG SIZE  rcvd: 62
          

          public ip returned

          DerelictD 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate @lifeboy
            last edited by Derelict

            @lifeboy This looks like expected behavior in unbound.

            https://utcc.utoronto.ca/~cks/space/blog/sysadmin/UnboundLocalDNSOverride

            https://forum.netgate.com/topic/112091/dns-resolver-host-overrides-ability-to-choose-record-types

            There is, however, a specific type of override you can use. See Also typetransparent in the aforementioned unbound documentation.

            Instead of specifying a host override in the gui (delete it), try this manual custom configuration:

            server:
            local-zone: greentree.systems typetransparent
            local-data: "greentree.systems A 192.168.131.188"
            

            This might require other work depending on what other overrides you have in that zone.

            I have advised against using "domain names" as A records for decades for similar reasons. Back in the day it was moronic MTA developers (usually programming on Windows) that would just resolve the A record for a mail domain instead of an MX record and attempt to deliver mail there even though mail for that domain was handled somewhere completely different.

            Despite my advice, "marketing" pretty much invariably wins that argument.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            johnpozJ lifeboyL 2 Replies Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Derelict
              last edited by

              @derelict said in Split DNS zone:

              I have advised against using "domain names" as A records for decades for similar reasons.

              Yeah single label domains - have always been a bad choice ;) Never a fan of pointing A to domain name either.. if your zone/domain is greentree.systems.. Then point the A to a host in that domain host.greentree.systems

              greentree.systems looks to be single label domain, systems, which a host greentree.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              lifeboyL 1 Reply Last reply Reply Quote 0
              • lifeboyL
                lifeboy @Derelict
                last edited by

                That's actually doing the job! Excellent!

                I removed the override record for greentree.systems and added these two rows to the custom options.

                Now the override works for the A record, but retains the public DNS MX.

                ~# dig greentree.systems

                ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> greentree.systems
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38548
                ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;greentree.systems.		IN	A
                
                ;; ANSWER SECTION:
                greentree.systems.	3600	IN	A	192.168.131.188
                
                ;; Query time: 0 msec
                ;; SERVER: 192.168.131.254#53(192.168.131.254)
                ;; WHEN: Mon Mar 29 15:53:13 SAST 2021
                ;; MSG SIZE  rcvd: 62
                

                ~# dig greentree.systems MX

                ; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> greentree.systems MX
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54874
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;greentree.systems.		IN	MX
                
                ;; ANSWER SECTION:
                greentree.systems.	59	IN	MX	10 aspmx2.googlemail.com.
                greentree.systems.	59	IN	MX	10 aspmx3.googlemail.com.
                greentree.systems.	59	IN	MX	5 alt1.aspmx.l.google.com.
                greentree.systems.	59	IN	MX	5 alt2.aspmx.l.google.com.
                greentree.systems.	299	IN	MX	1 aspmx.l.google.com.
                
                ;; Query time: 0 msec
                ;; SERVER: 192.168.131.254#53(192.168.131.254)
                ;; WHEN: Mon Mar 29 15:53:08 SAST 2021
                ;; MSG SIZE  rcvd: 179
                

                I see the resolver has the option to be run as "type transparent" overall, but there is no option to add local-data via the GUI. Would that be something I can submit as a new feature request?

                DerelictD 1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate @lifeboy
                  last edited by

                  @lifeboy Screen Shot 2021-03-29 at 10.04.40 AM.png

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • lifeboyL
                    lifeboy @johnpoz
                    last edited by lifeboy

                    @johnpoz said in Split DNS zone:

                    @derelict said in Split DNS zone:

                    I have advised against using "domain names" as A records for decades for similar reasons.

                    Yeah single label domains - have always been a bad choice ;) Never a fan of pointing A to domain name either.. if your zone/domain is greentree.systems.. Then point the A to a host in that domain host.greentree.systems

                    greentree.systems looks to be single label domain, systems, which a host greentree.

                    I understand the sentiment, but on the other hand, any half-baked programmer should be able to ask a domain for it's MX records when attempting to send mail, yet in this case it's postfix (of all!) that simply tries the A record anyway, when no MX record is returned. Maybe there's a switch one can use to force it not to do this and rather generate an error...

                    DerelictD S 2 Replies Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate @lifeboy
                      last edited by

                      @lifeboy

                      http://www.postfix.org/postconf.5.html#ignore_mx_lookup_error

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      johnpozJ lifeboyL 2 Replies Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Derelict
                        last edited by johnpoz

                        This is the part of that I like the most ;)

                        Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup instead. This violates the SMTP standard and can result in mis-delivery of mail. 
                        

                        This violates the SMTP standard and can result in mis-delivery of mail.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @lifeboy
                          last edited by

                          @lifeboy said in Split DNS zone:

                          postfix (of all!) that simply tries the A record anyway, when no MX record is returned

                          As Derelict implied above that's actually correct behavior per RFC. Assuming the answer was indeed returned, and blank.
                          https://tools.ietf.org/rfcmarkup?doc=5321#section-5
                          "If an empty list of MXs is returned, the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host."

                          Nice there's a workaround. I guess all these years the times I've had to set up split DNS it was for a hostname (office.example.com) and not a domain.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          1 Reply Last reply Reply Quote 0
                          • lifeboyL
                            lifeboy @Derelict
                            last edited by

                            @derelict said in Split DNS zone:

                            @lifeboy

                            http://www.postfix.org/postconf.5.html#ignore_mx_lookup_error

                            The default is "no", so an mx lookup error should be an error. As was pointed out by @SteveITS, per the RFC if there's no MX record returned, the host address is attempted.

                            The "type transparent" server setting fixed the problem for me, but I'd like to explore why setting the server type to "type transparent" in the GUI doesn't have the same effect.

                            bfd73313-6107-4279-a866-21a0e758bceb-image.png

                            It seems this is only for the domain of the system. Can it be set for all domains that are served by this server?

                            DerelictD 1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate @lifeboy
                              last edited by

                              @lifeboy Because that is for the pfSense system domain. Not host overrides.

                              You can look at the configuration pfSense generates in /var/unbound.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @Derelict
                                last edited by

                                Yeah that allows you to use a domain that is public, and look up non local resources. I personally think it should default to static.. To prevent queries for domain that doesn't exist in the public space.

                                I have mine set to static, since the domain I use locally doesn't exist in the public space - so no point in trying to resolve public if there is no local record..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.