DNS Resolver (unbound) passing local names to clients



  • Somewhat new to PFSense here.

    We're running 2.3.1-RELEASE-p5 and are finding that DNS Forwarder is slow and unreliable with large groups of users.

    We switched to DNS Resolver (unbound) and it works very well for external names. Also, locally on the box from the shell it resolves names in /etc/hosts just fine.

    However, clients using the pfsense box as their resolver can't resolve names in the local domain. They can when using DNS Forwarder on the same machine.

    In other words,  I have an entry in /etc/hosts like this:

    10.1.1.1    foo.example.com    foo

    From the PFSense box shell, I can ping foo or foo.example.com

    Clients, however, can't resolve it.

    What am I doing wrong?


  • LAYER 8 Global Moderator

    why do you put anything in /etc/hosts by hand?  use the override section to put in hosts you want to resolve, or if they get dhcp from pfsense use the register dhcp clients option.



  • It's wrong to use /etc/hosts for that purpose. While DNSMasq might support merging of /etc/hosts names into its local overrides it definitely won't work with Unbound that completely ignores /etc/hosts.


  • LAYER 8 Global Moderator

    You can load any file you want to preload hosts into unbound, if you have a shit load of them or something.  I for example load

    server:
    include: /etc/unbound_ad_servers

    Which is a listing of ad servers I don't want to resolve and they return 127.0.0.1 if a client asks for them.

    example

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;zmedia.com.                    IN      A

    ;; ANSWER SECTION:
    zmedia.com.            3600    IN      A      127.0.0.1

    and the etc/hosts file is still used by unbound.. Place something in overrides and it shows up there

    192.168.9.8 storage.local.lan storage
    1.2.3.4 test.testhost.tld test
    192.168.2.2 uap-ac.local.lan uap-ac

    Just put that test for example, but I wouldn't suggest you directly edit the host file.

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;test.testhost.tld.            IN      A

    ;; ANSWER SECTION:
    test.testhost.tld.      3600    IN      A      1.2.3.4

    Put your files in the gui override section of the resolver.  If you have a lot of them to load, then load them with another file like I do with the ad servers..



  • Has that behavior changed in a recent version of unbound or is this a local modification on pfSense? Last I checked the unbound documentation there is no mention of using /etc/hosts.


  • LAYER 8 Global Moderator

    AFAIK this has always the way its been with pfsense..  Be it the official unbound does it or not I am not sure.. Can only tell you that entries I put into unbound overrride get placed in /etc/hosts  So clearly its using it it some fashion.

    But I would not expect it to work if you hand edit that file.  If you need to load entries en masse into unbound then I would load a different file.



  • Unbound doesn't, and has never, used the hosts file. It gets populated the same as it is with dnsmasq, though that probably ought to just be skipped entirely when you're running Unbound. The host itself will use localhost by default to resolve names, so the hosts entries aren't necessary. They are with dnsmasq since that's where it obtains its records.


  • LAYER 8 Global Moderator

    There you go, so the population of hosts seems to just be left over from the forwarder mode days, and seems could be stopped going forward..

    But I think it serves one function still, it allows pfsense to resolve stuff if unbound crashes..  So that function could still be of use I guess.


Log in to reply