Don't forward without domain
I'm wondering if it is possible [with unbound] to stop forwarding requests without domain.
Here is the example - local PC is sending query and receiving an undesired response:
192.168.1.2 192.168.1.1 DNS 62 Standard query 0x0003 A gw 192.168.1.1 192.168.1.2 DNS 118 Standard query response 0x0003 A gw SOA gw01.dns.pt
Now with another name
192.168.1.2 192.168.1.1 DNS 64 Standard query 0x0004 A brix 192.168.1.1 192.168.1.2 DNS 139 Standard query response 0x0004 No such name A brix SOA a.root-servers.net 192.168.1.2 192.168.1.1 DNS 68 Standard query 0x0005 A brix.lan 192.168.1.1 192.168.1.2 DNS 84 Standard query response 0x0005 A brix.lan A 192.168.1.6
After "No such name" client PC is adding default domain "lan", sending another query and receiving a proper response.
Another question - is it possible to force Unbound to add default domain to all the queries it receives without domain?
JKnott last edited by
The only way to do that would be to have something that does a DNS lookup on everything heading out. As for your second question, I'm not sure what you're looking for? A fully qualified domain name has 2 parts, a host name and a domain name. Do you want to make those up for addresses that don't resolve?
Why would you client ask for brix unless the user put in just brix…. Have this user use brix.lan from the git go ;) Use of single label normally not a good idea.. your local domain should be say something.tld
dnsmasq has an option domain-needed I am not aware of sim option in unbound..
You could use the forwarder which is dnsmasq and set this option.. You could use dnsmasq before pfsense to filter on this, say pihole or something.
Regarding my #2 - I was thinking about adding "search domain" similar to what we have on the clients, i.e. when Unbound receiving non-FQDN query (no dots) it should first add the default domain, when try to resolve locally.
a non domain query is not valid its not going to resolve locally.. Seach suffix is only going to be added on second query, if your client only asks host - that is what will be queried for.. tell you clients not to query just host and always use host.domain and you problem goes away ;)
dnsmasq has an option domain-needed
Exactly. This is what I had in my mind, I was using it on my openwrt travel box in the past.
Definitely it will be not a big deal to always use host.domain, today it just popped up during some troubleshooting where it was just quicker to type ping gw
Thanks for all the suggestions!