Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver Domain Overrides

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 2 Posters 793 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      edz
      last edited by

      I am certain my Domain Overrides were previously working but having recently changes ISPs this no longer seems to be the case. In troubleshooting I have also uninstalled pfblockgerng but this doesn't seem to have resolved it.

      DNS Resolver Settings:
      Resolver is listening on all internal interfaces, including VLANs and localhost. The outgoing interfaces is WAN and WAN4G which is for failover. I've included some screenshots below.

      Override Settings:
      I want any queries to 'bbc.com' to use 52.63.91.105 as the DNS server. Again, screenshot of this is below.

      Results:
      When I use nslookup or dig from a client on the network or the diagnostics tool in pfsense I receive the following. I would expect the server to be 52.63.91.105 instead of the pfsense VLAN Pv6 address

      ~ nslookup bbc.com
Server:		2001:8003:2901:d702:20d:b9ff:fe53:2a11
Address:	2001:8003:2901:d702:20d:b9ff:fe53:2a11#53

Non-authoritative answer:
Name:	bbc.com
Address: 151.101.0.81
Name:	bbc.com
Address: 151.101.192.81
Name:	bbc.com
Address: 151.101.128.81
Name:	bbc.com
Address: 151.101.64.81

      Screen Shot 2020-01-15 at 06.55.42.png
      Screen Shot 2020-01-15 at 06.55.48.png
      Screen Shot 2020-01-15 at 06.56.03.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @edz
        last edited by johnpoz

        @edz said in DNS Resolver Domain Overrides:

        I would expect the server to be 52.63.91.105 instead of the pfsense VLAN Pv6 address

        That is not how domain overrides work, domain overrides are delegations telling unbound where to go ask for records in this domain, vs resolving it normally.

        Any clients would still see pfsense IP as their ns no matter what they look for.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        E 1 Reply Last reply Reply Quote 0
        • E
          edz @johnpoz
          last edited by edz

          @johnpoz hmm, thanks for clarifying John. My misunderstanding. I think my DNS provider has some baisc logging so I'll confirm if these requests are reaching them.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Simple way to check just sniff on the when you ask for something bbc.com and validate you see it ask that IP and you get a reply..

            Curious why your trying to override that, that is public and it returns what your showing returning

            ;; QUESTION SECTION:
;bbc.com.                       IN      A

;; ANSWER SECTION:
bbc.com.                3600    IN      A       151.101.192.81
bbc.com.                3600    IN      A       151.101.64.81
bbc.com.                3600    IN      A       151.101.0.81
bbc.com.                3600    IN      A       151.101.128.81

            What are you trying to accomplish with the override? Normally you would do that when the domain is not public and your telling where to lookup domain.tld that is not actually a valid public domain... Or you want to return your own custom entries vs what is in the public domain from your own NS saying its authoritative for that domain sort of thing.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            E 1 Reply Last reply Reply Quote 0
            • E
              edz @johnpoz
              last edited by

              @johnpoz said in DNS Resolver Domain Overrides:

              Simple way to check just sniff on the when you ask for something bbc.com and validate you see it ask that IP and you ge

              Do I sniff the pfsense WAN interface?

              I am using DNS4Me and I have a number of domain overrides (not just bbc.com) to bypass their geoblock. In the past, I could navigate to bbc.co.uk and stream content but now it seems to redirect to bbc.com, and I am suspecting there is a missing DNS override.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Yeah you would sniff on the interface used to talk to that IP.. If that your wan that is where you would sniff.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • E
                  edz
                  last edited by

                  All good now @johnpoz The packet capture on the WAN interface help confirm that requests were going to the right DNS server and helped me pinpoint additional overrides that were required.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.