DNS Override Issue

  • I just moved from an ALIX machine to a J1900 both running the latest code.

    I setup DNS Resolver this time and I installed my DNS Overrides.  I created a real dyndns address override and a non-existent dyndns override.  In pfsense (Diagnostics/DNS Lookup) when I query both of these overrides the result is as expected of my internal/private overrides.

    When I do the query or nslookup from client machines (who have their DNS pointing to pfsense - I see pfsense as the server in the nslookup) the real dyndns adrress query returns the public IP.  It will not return the override.  The test/non-existent dyndns returns the override.

    I have flushed dns many times and started/stopped DNS Resolver.

    I'm at a loss as to what to check next.  Any help or tips would be greatly appreciated.  I tried DNS Forwarder as well (which  overrides worked fine on my ALIX machine) and had the same issues.  I'm sure I'm just overlooking something.


    Just to follow-up.  Just to verify I disabled DNS Resolver again on the interface and re-enabled DNS Forwarder and rebuilt the overrides.  The same behavior is happening with both DNS methods.

    I'm using one of the physical OPT interfaces for this particular LAN segment, don't know if that changes the behavior.  I'm also having an issue with NAT reflection with port-rules on this interface.  Port forwards are fine from external networks, but not coming from OPT1.  I'm not sure if there is a relationship.  My old setup was WAN-DHCP and LAN+LAN(VLAN1010).  This seems fairly basic.

    LAN - 192.168.1.x
    OPT1 - 192.168.2.x
    OPT1(VLAN1010) - 172.22.22.x

  • LAYER 8 Global Moderator

    Why don't you actually post your overrides your creating and your query for said override.

    If you created a host override and you query for said override - that is what is going to be returned.  So either you did not create the override correctly or it did not take.  Did you restart unbound?  Or you not doing the query to or what your thinking your doing a query for.

  • Yeah, I agree a host override is not complicated but it is not cooperating on 2.3.4 .  I did a reboot and several restarts of unbound.  I've switched back to DNS Forward for the time being for more testing.

    Here are a couple of samples

    hs3.ursula.com  -> host override
    mytest.dyndns.org -> host override

    From the Pfsense GUI - Diag/DNS Lookup Results for these two hosts:

    DNS Lookup
    Hostname  hs3.ursula.com

    Result Record type A

    Name server Query time 13 msec 16 msec 133 msec 18 msec

    Hostname mytest.dyndns.org

    Result Record type A

    Name server Query time 13 msec 13 msec 15 msec 15 msec

    From the client side (same results on different machines and OS types)
    The clients only DNS server is the pfsense interface

    Wireless LAN adapter Wi-Fi:

    Connection-specific DNS Suffix  . : localdomain
      Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
      DHCP Enabled. . . . . . . . . . . : Yes
      IPv4 Address. . . . . . . . . . . :
      Subnet Mask . . . . . . . . . . . :
      Lease Obtained. . . . . . . . . . : Sunday, July 9, 2017 2:28:20 PM
      Lease Expires . . . . . . . . . . : Sunday, July 9, 2017 5:57:58 PM
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . :
      DNS Servers . . . . . . . . . . . :

    C:\Users\xxxx>ipconfig /flushdns

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

            primary name server = localhost
            responsible mail addr = nobody.invalid
            serial  = 1
            refresh = 600 (10 mins)
            retry  = 1200 (20 mins)
            expire  = 604800 (7 days)
            default TTL = 10800 (3 hours)
    Default Server:  UnKnown

    Server:  UnKnown

    Name:    mytest.dyndns.org

    Server:  UnKnown

    Non-authoritative answer:
    Name:    hs3.ursula.com

  • To your point, the clients are somehow resolving hostnames.  In DNS forwarder mode, I removed all DNS servers in the General DNS Settings Area. The DNS Override List is NOT checked.

    From pfsense I try to resolve getvera.com and as expected it did not resolve.  I go to a OS X client and verify that /etc/resolv.conf only list the GW

    I do a nslookup and getvera.com resolves to


    very odd, this is an issue on a couple of clients with corporate control.  I kept on testing on other devices without GPO and behavior is exactly expected and overrides work.  There must be some DNS servers installed before the the DHCP acquired.

    thanks for your help

  • LAYER 8 Netgate

    PLEASE use a real tool like dig or drill to diagnose DNS problems, not windows nslookup. Something is giving the answers you are receiving and I see no way that is unbound.

    Having DNS overrides in place AND having DNS servers listed that do not contain said overrides is asking for trouble. You really have no control over which server is actually going to answer. If it's the public server, you'll get the public address. If it's the local server, you'll get the local address. That answer will likely be cached somewhere. Inconsistent results will ensue.

    And instead of this:

    Here are a couple of samples

    hs3.ursula.com  -> host override
    mytest.dyndns.org -> host override

    Please post screen shots so we can see what you have done not what you think you have done.

  • Hi Derelict,

    Thanks for your post. As you pointed out it is not unbound or dnsmasq.  It was the DNS search list on a couple of the clients that was the issue.  With wireshark you could see the DNS request from the client was appending the extra domain to the request.  As an easy workaround I just created an alias in the host override section.


  • LAYER 8 Netgate

    So nothing to do with 2.3.4. OK.

Log in to reply