Domain Override - Driving me crazy
-
I have a rather simple network config or which I require dns for a particular domain to be resolved by a server acccesible via my gateway router. I need user 1 to be able to resolve hosts on the domain mycompany.local. Sounds simple and I have done this before exactly the same way however it is not working on my current config
I have configured a domain override on PFSense1 as follows:
From Pfsense CLI I can connect to 192.168.25.21 and resolve phone.mycompany.local using nslookup. So connectivity to the remote DNS server is not an issue
However when I try from user pc I get non-existent domain.
I've checked the conf files and they appear to be correct
PfSense version is 2.4.4.p3
-
Sounds like DNS is not configured properly on the USER1 PC.
Show us the network config of the PC, and screenshots of that not working. -
In DNS Resolver select only LAN in Outgoing Network Interfaces instead of All.
However, I still cannot get this reliably working and I sometimes have to restart the unbound service.
-
If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.
https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html
Exactly how you do it for plex..
edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..
he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.
-
I also found disabling DNSSEC fixes issue for me.
-
If your "forwarding" then yeah dnssec is pointless! If where you forward to does dnssec, then it does dnssec without having to ask.. If it doesn't do it - asking for it accomplishes nothing! The only time doing dnssec makes sense is if your doing your own resolving - which is what unbound does out of the box.
If your forwarding then yes turning off dnssec makes sense..
-
Yes makes sense but the checkbox to enable (default) dnssec seems to make my system not work - two different installations that I have domain overrides on on will not resolve to an external Windows DNS server across an IPSec tunnel unless I have it disabled. Took me a while troubleshooting this afternoon to determine this was the reason. One would think that enabling it means that it would work only if available but I suppose some servers may not implement same way or break entirely if this is set - never bothered to look at the windows DNS servers and will do that eventually to see if dnssec is enabled on them.
-
@johnpoz said in Domain Override - Driving me crazy:
If your going to do a domain override and its going to return a rfc1918 address, you need to disable rebind for that domain, ie you have to set it as a private domain in unbound options box.. Or you have to completely disable rebind protection.
https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html
Exactly how you do it for plex..
edit: Ah looks like he has that set, but using .local as tld - that is going to be problematic for sure.. Horrible choice for tld of your own domain..
he could have a problem with his ns answering the remote IP, etc.. He needs to validate by doing a direct query to the name server from his client to validate it actually will return an answer.
I was experimenting with this as to why a domain override was always working for me to resolve private addresses when I had the global option disabled in advanced, and did not have a custom option set for domain.
I found out, by looking at /var/unbound/unbound.conf is that unbound automatically adds each domain forward you enter for you in the # DNS Rebinding section with a private-domain. I guess it presumes those DNS servers you forward to are authentic. If I edit the file and restart unbound it seemed to keep re-adding it.
Therefore there is no need to have custom option set if you have domain forward listed.