DNS Resolver (Unbound), Issues with Local Domain

arrmo · Mar 26, 2017, 5:56 PM

Hi,

I'm having some issues with Unbound - in particular for my local domain (LAN). If it try a name lookup from pfSense itself (e.g. nslookup mypc), it does append the local domain (.home), and resolves just fine. But … if I try the same nslookup command from any other machines on the network (e.g. Windows machine), the name resolution fails - no result returned. pfSense doesn't seem to be adding the local domain (e.g. mypc -> mypc.home). I do have the DHCP registration option enabled ... so that's not it.

Any thoughts how to get pfSense to add the local domain for names without a domain?

Thanks!

johnpoz · Mar 26, 2017, 6:08 PM

so your using single label?? I just .home?? Bad idea to be honest.. And .home is actually did have a possibility of being a valid tld on the internet.. Not sure that is a good choice..

https://icannwiki.org/.home

Its prob good for at least a while.. But single label has its own issues.. I would suggest maybe something like something.home as your domain so you end up with mypcname.something.home as the FQDN.

Is your windows machines appending the search suffix? Does it work if you ask it as fully qualified.. ie if you do

mypc.home does it work?

You can setup debug in nslookup to see exactly what the client is asking to validate its appending the suffix. You can do a simple ipconfig /all on windows machine to see what the domain and search suffixes are.

arrmo · Mar 26, 2017, 6:49 PM

Good questions! Some answers,

Yes, FQDN works (i.e. include .home)
I turned up debugging, and looked at the resolver log … query seems to be mypc. only, but ...
Checked Windows, Connection-specific DNS Suffix ..... : home
Also in Windows, Append primary and connection specific DNS suffixes ... enabled

So it seems odd that .home is not appended and sent, but also ... is there no way to have pfSense append this if there is no domain. BTW, also a bit odd, but ... nslookup fails, but ping to the same machine resolves DNS and works. Weird!

And as for .home ... would that not resolve locally in any case, so the link is not really an issue? I may be missing the point ... :(.

Thanks!

johnpoz · Mar 27, 2017, 10:16 AM

ping you are most likely broadcasting for name when you do not get back a dns answer.

So you search suffix is listed - see attached. and it shows a search list? Try changing away from single label, do something mydomain.home so you have host.domain.tld

you can see when set debug and then ask for just name it actually asks for the fqdn..

When you ping - does it come back fully qualified.. Or just the host name, if just the hostname you broadcasted for it.

If it would of been used as public it could be an issue.. but again your just using single label .home which normally would be the TLD or called a SLD (single label domain), vs an actual domain and tld something.home –- using just .home is not best practice.. And single labels can have odd shit happen..

https://support.microsoft.com/en-us/help/2269810/microsoft-support-for-single-label-domains
"SLDs are not a recommended configuration for future deployments and may not work with some products or versions. "

arrmo · Mar 29, 2017, 12:08 AM

Thanks for the pointers! To your question - yes, ping seems to come back with the FQDN. It's only nslookup that is failing - all else is OK … ping, tracert, ssh, etc. Only nslookup doesn't seem to include the suffix. Perhaps that's the expectation for nslookup (i.e. just use exactly what is passed as an argument, don't modify it at all?)?

BTW, this started out because I saw this happening on my router (ASUS Merlin build, but also Tomato). They seem even worse - domain is not added for ping.

It's not a huge issue, but I'm sure this wasn't an issue in the past - though I did move from dnsmasq to unbound a while back, that may have been the trigger.

Thanks!

johnpoz · Mar 29, 2017, 8:29 AM

what version of nslookup are you using? Windows passes it.. as you saw from my output.

You can see exactly what nslookup is asking.. just set debug as in my example

arrmo · Mar 30, 2017, 1:39 AM

Sorry, not sure what version - doesn't seem to output that … :(. It is nslookup on Windows 10 - does that help?

I ran debug, captured the output ... it's below,

doktornotor · Mar 30, 2017, 8:20 AM

You'll need to complain to MS about their "improvements".

johnpoz · Mar 30, 2017, 9:49 AM

Yup complain to MS clearly if you saying you have search set and domain set.. And your interface is set to append, etc. and your not sending it.. Maybe it doesn't like single label.. let me fire up my win 10 vm.

edit:
So fired up my windows 10 vm.. And its working fine.. Chang over from that single label your using.. As I pointed out ready MS does not support it.. And its just horrible idea anyway..

What build our you running? Im on 1607

arrmo · Mar 31, 2017, 10:20 PM

Sorry, I may be missing your point. Are you saying that Windows doesn't send the domain for you either, if it's a single label? That may be the issue.

Windows Version: 1607 (OS Build 14393.953)

Thanks!