DNS Resolver Domain Overrides



  • I am certain my Domain Overrides were previously working but having recently changes ISPs this no longer seems to be the case. In troubleshooting I have also uninstalled pfblockgerng but this doesn't seem to have resolved it.

    DNS Resolver Settings:
    Resolver is listening on all internal interfaces, including VLANs and localhost. The outgoing interfaces is WAN and WAN4G which is for failover. I've included some screenshots below.

    Override Settings:
    I want any queries to 'bbc.com' to use 52.63.91.105 as the DNS server. Again, screenshot of this is below.

    Results:
    When I use nslookup or dig from a client on the network or the diagnostics tool in pfsense I receive the following. I would expect the server to be 52.63.91.105 instead of the pfsense VLAN Pv6 address

    ~ nslookup bbc.com
    Server:		2001:8003:2901:d702:20d:b9ff:fe53:2a11
    Address:	2001:8003:2901:d702:20d:b9ff:fe53:2a11#53
    
    Non-authoritative answer:
    Name:	bbc.com
    Address: 151.101.0.81
    Name:	bbc.com
    Address: 151.101.192.81
    Name:	bbc.com
    Address: 151.101.128.81
    Name:	bbc.com
    Address: 151.101.64.81
    

    Screen Shot 2020-01-15 at 06.55.42.png
    Screen Shot 2020-01-15 at 06.55.48.png
    Screen Shot 2020-01-15 at 06.56.03.png


  • LAYER 8 Global Moderator

    @edz said in DNS Resolver Domain Overrides:

    I would expect the server to be 52.63.91.105 instead of the pfsense VLAN Pv6 address

    That is not how domain overrides work, domain overrides are delegations telling unbound where to go ask for records in this domain, vs resolving it normally.

    Any clients would still see pfsense IP as their ns no matter what they look for.



  • @johnpoz hmm, thanks for clarifying John. My misunderstanding. I think my DNS provider has some baisc logging so I'll confirm if these requests are reaching them.


  • LAYER 8 Global Moderator

    Simple way to check just sniff on the when you ask for something bbc.com and validate you see it ask that IP and you get a reply..

    Curious why your trying to override that, that is public and it returns what your showing returning

    ;; QUESTION SECTION:
    ;bbc.com.                       IN      A
    
    ;; ANSWER SECTION:
    bbc.com.                3600    IN      A       151.101.192.81
    bbc.com.                3600    IN      A       151.101.64.81
    bbc.com.                3600    IN      A       151.101.0.81
    bbc.com.                3600    IN      A       151.101.128.81
    

    What are you trying to accomplish with the override? Normally you would do that when the domain is not public and your telling where to lookup domain.tld that is not actually a valid public domain... Or you want to return your own custom entries vs what is in the public domain from your own NS saying its authoritative for that domain sort of thing.



  • @johnpoz said in DNS Resolver Domain Overrides:

    Simple way to check just sniff on the when you ask for something bbc.com and validate you see it ask that IP and you ge

    Do I sniff the pfsense WAN interface?

    I am using DNS4Me and I have a number of domain overrides (not just bbc.com) to bypass their geoblock. In the past, I could navigate to bbc.co.uk and stream content but now it seems to redirect to bbc.com, and I am suspecting there is a missing DNS override.


  • LAYER 8 Global Moderator

    Yeah you would sniff on the interface used to talk to that IP.. If that your wan that is where you would sniff.



  • All good now @johnpoz The packet capture on the WAN interface help confirm that requests were going to the right DNS server and helped me pinpoint additional overrides that were required.


Log in to reply