Preventing Forwarder/Resolver Loop



  • Hi guys,
    I current am taking a look at my network and had something stand out to me when using DNS Resolver. My currently layout is relatively simple:

    Host -> AD DNS -> pfSense

    I would like to have the pfSense (localhost interface) be able to resolve some of my domain queries (example.com) but it comes after AD DNS so it can't query it. I decided to add a Domain Override, but this got me thinking: If I were attempt to resolve something like "Test.example.com" which does not exist, we should enter a loop.

    The "Test.example.com" query should go to the AD DNS (Domain Override) and be forwarded back to the DNS Resolver to then meet the Domain Override to go back to the AD DNS and so on. If I am wrong on this, please let me know.

    It seems like it would be best to have the DNS Resolver not use the Domain Override when queries are coming from the AD DNS but I'm not sure how to set that up as other hosts require the current Network Interfaces/Outgoing Network Interfaces in the DNS Resolver to work (AD DNS would be sole exception). Has anyone had this issue before? Perhaps I'm missing something or this is bad practice?

    Thanks!


  • Rebel Alliance Global Moderator

    So your domain is example.com, But there is no test.example.com, which your AD is authoritative for..  So why would it ever forward that anywhere?  It would send NX.. When you ask a authoritative ns for a record that does not exist it sends a NX..

    So if you looked for test.example.com from pfsense that got sent to your AD dns, it would get told sorry that host does not exist, done - no loop.



  • Perfect. Thanks!