Domain Override - Driving me crazy



  • I have a rather simple network config or which I require dns for a particular domain to be resolved by a server acccesible via my gateway router. I need user 1 to be able to resolve hosts on the domain mycompany.local. Sounds simple and I have done this before exactly the same way however it is not working on my current config

    b6c67584-4403-4f3c-aafe-a8cda6aee67b-image.png

    I have configured a domain override on PFSense1 as follows:
    8dea3aab-48a6-4882-b453-665626ae68a7-image.png

    From Pfsense CLI I can connect to 192.168.25.21 and resolve phone.mycompany.local using nslookup. So connectivity to the remote DNS server is not an issue

    However when I try from user pc I get non-existent domain.

    I've checked the conf files and they appear to be correct
    9fe64f7b-e9fa-484d-b93a-4695922a8cf6-image.png

    b97505d9-128c-41d8-bb5d-e998b23fb30c-image.png

    PfSense version is 2.4.4.p3



  • Sounds like DNS is not configured properly on the USER1 PC.
    Show us the network config of the PC, and screenshots of that not working.



  • In DNS Resolver select only LAN in Outgoing Network Interfaces instead of All.

    However, I still cannot get this reliably working and I sometimes have to restart the unbound service.


  • LAYER 8 Global Moderator

    If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.

    https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

    Exactly how you do it for plex..

    custombox.jpg

    edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..

    he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.



  • I also found disabling DNSSEC fixes issue for me.


  • LAYER 8 Global Moderator

    If your "forwarding" then yeah dnssec is pointless! If where you forward to does dnssec, then it does dnssec without having to ask.. If it doesn't do it - asking for it accomplishes nothing! The only time doing dnssec makes sense is if your doing your own resolving - which is what unbound does out of the box.

    If your forwarding then yes turning off dnssec makes sense..



  • Yes makes sense but the checkbox to enable (default) dnssec seems to make my system not work - two different installations that I have domain overrides on on will not resolve to an external Windows DNS server across an IPSec tunnel unless I have it disabled. Took me a while troubleshooting this afternoon to determine this was the reason. One would think that enabling it means that it would work only if available but I suppose some servers may not implement same way or break entirely if this is set - never bothered to look at the windows DNS servers and will do that eventually to see if dnssec is enabled on them.



  • @johnpoz said in Domain Override - Driving me crazy:

    If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.

    https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

    Exactly how you do it for plex..

    custombox.jpg

    edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..

    he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.

    I was experimenting with this as to why a domain override was always working for me to resolve private addresses when I had the global option disabled in advanced, and did not have a custom option set for domain.

    I found out, by looking at /var/unbound/unbound.conf is that unbound automatically adds each domain forward you enter for you in the # DNS Rebinding section with a private-domain. I guess it presumes those DNS servers you forward to are authentic. If I edit the file and restart unbound it seemed to keep re-adding it.

    Therefore there is no need to have custom option set if you have domain forward listed.


Log in to reply