Don't forward without domain



  • I'm wondering if it is possible [with unbound] to stop forwarding requests without domain.
    Here is the example - local PC is sending query and receiving an undesired response:

    192.168.1.2	192.168.1.1	DNS	62	Standard query 0x0003 A gw
    192.168.1.1	192.168.1.2	DNS	118	Standard query response 0x0003 A gw SOA gw01.dns.pt
    
    

    Now with another name

    192.168.1.2	192.168.1.1	DNS	64	Standard query 0x0004 A brix
    192.168.1.1	192.168.1.2	DNS	139	Standard query response 0x0004 No such name A brix SOA a.root-servers.net
    192.168.1.2	192.168.1.1	DNS	68	Standard query 0x0005 A brix.lan
    192.168.1.1	192.168.1.2	DNS	84	Standard query response 0x0005 A brix.lan A 192.168.1.6
    
    

    After "No such name" client PC is adding default domain "lan", sending another query and receiving a proper response.

    Another question - is it possible to force Unbound to add default domain to all the queries it receives without domain?



  • The only way to do that would be to have something that does a DNS lookup on everything heading out.  As for your second question, I'm not sure what you're looking for?  A fully qualified domain name has 2 parts, a host name and a domain name.  Do you want to make those up for addresses that don't resolve?


  • Rebel Alliance Global Moderator

    Why would you client ask for brix unless the user put in just brix…. Have this user use brix.lan from the git go ;)  Use of single label normally not a good idea.. your local domain should be say something.tld

    dnsmasq has an option domain-needed I am not aware of sim option in unbound..

    You could use the forwarder which is dnsmasq and set this option..  You could use dnsmasq before pfsense to filter on this, say pihole or something.



  • Regarding my #2 - I was thinking about adding "search domain" similar to what we have on the clients, i.e. when Unbound receiving non-FQDN query (no dots) it should first add the default domain, when try to resolve locally.


  • Rebel Alliance Global Moderator

    a non domain query is not valid its not going to resolve locally.. Seach suffix is only going to be added on second query, if your client only asks host - that is what will be queried for.. tell you clients not to query just host and always use host.domain and you problem goes away ;)



  • @johnpoz:

    dnsmasq has an option domain-needed

    Exactly. This is what I had in my mind, I was using it on my openwrt travel box in the past.

    Definitely it will be not a big deal to always use host.domain, today it just popped up during some troubleshooting where it was just quicker to type ping gw

    Thanks for all the suggestions!