two pfsense boxes



  • So I have two pfsense boxes in production and they respond to DNS queries for local resources differently:

    box1 - a resolver for subdomain1 - returns "could not find host" to a query for an made-up hostname
    box2 - a resolver for subdomain2 - (apparently) forwards the query upstream to public server and returns the wildcard address associated with our domain (*.domain.com)

    checked the config on both, seems identical.
    can anyone provide a tip, how is this feature ("Don't forward local domains") managed by DNS Resolver (unbound)? i see it present in DNS Forwarder's (dnsmasq) configuration, but can't find any mention of this feature related to DNS resolver.
    thanks!



  • this is frustrating. i've been trying to pust for 30 minutes, constantly getting "Post content was flagged as spam by Akismet.com"

    finally managed somehow to put the post here, but.. can ANYONE please explain to me, what is spammy about the follwing title:
    "two pfsense boxes - each resolving local dns queries differently"

    ??



  • *bump* anyone pls?



  • On the System > General Setup page check the "Domain" and "DNS Servers" settings.
    pfSense requests the DNS servers stated there if it couldn't resolve the hostname itself.



  • thx for trying to help, @viragomann

    settings in there are the same (except for domain, which is different, but still it's a private subdomain, so it shouldn't matter, right?), yet it still behaves differently.


  • LAYER 8 Global Moderator

    Is your zone set to transparent? And other set to static?

    zones.jpg

    Believe the default is transparent - I always change to static.

    https://nlnetlabs.nl/documentation/unbound/unbound.conf/

                static
                     If  there  is a match from local data, the query is answered.
                     Otherwise, the query is answered  with  nodata  or  nxdomain.
                     For  a  negative  answer  a  SOA is included in the answer if
                     present as local-data for the zone apex domain.
    
                transparent
                     If there is a match from local data, the query  is  answered.
                     Otherwise  if  the  query  has a different name, the query is
                     resolved normally.  If the query  is  for  a  name  given  in
                     localdata  but  no  such  type of data is given in localdata,
                     then a noerror nodata answer is returned.  If  no  local-zone
                     is  given  local-data causes a transparent zone to be created
                     by default.
    
                typetransparent
                     If there is a match from local data, the query  is  answered.
                     If  the  query  is for a different name, or for the same name
                     but for a different type, the  query  is  resolved  normally.
                     So,  similar  to transparent but types that are not listed in
                     local data are resolved normally, so if an A record is in the
                     local  data  that  does  not  cause  a  nodata reply for AAAA
                     queries.
    

    Example you look up host.yourlocaldomain.tld and that has a record, you get an answer... But if you ask for other.yourlocaldomain.tld and there is no record, then it will try and resolve that... This would explain why you get back some other IP if your domain your using locally is public out there, and they have say a wildcard setup. So even if other. doesn't exist you get returned a response.



  • @johnpoz, both boxes are configured with transparent domain. the subdomains are not listed in public DNS.
    based on what you say, i'd expect both boxes to return the IP address of the public *.domain.com record. however, one returnes the *.domain.com IP, and the other returns NXDOMAIN.

    that's why i'm inquiring about how the functionality actually works, since the (seemingly) equally configured boxes return different results :/

    thx for the help, anyway..


  • LAYER 8 Global Moderator

    So these are 2 different pfsense, and you doing the queries how exactly - directly to the pfsense IP? You state they have 2 different domains.

    pfsense1 domainX.tld
    pfsense2 domainY.tld

    are you doing queries direct to 1 asking for X, and 2 asking for Y.

    Or are you asking 1 asking for something in the Y domain?

    If your set to transparent and you ask for something that is not local, then yes it will try and resolve it.



  • i would GLADLY post the command output, but my post keeps being denied as "marked as spam by akismet".

    i'll try differently:

    i have domain.com and 2 sites. each site has it's own subdomain. each subdomain has a pf box to resolved it's DNS queries.
    i'm querying each pf box with a made-up hostname in the respective subdomain. one of the boxes keeps querying public servers, the other one doesn't.


  • LAYER 8 Global Moderator

    Well that is what would happen if transparent... if one is failing is because it tried to resolve normally and it failed.

    PM me the details of domains and example what you queried that did not fail on one, etc

    local domain sub.domain.tld, transparent. And you query something.sub.domain.tld and no record of that locally then it will try and resolve that normally.. Which may or maynot get you a response.

    If you do not want anything to be resolved normally in this domain your using locally then you would set the zone type to static.

    Using a domain locally that is public as well can lead to unwanted sort of responses.. Especially if you do not control the public NS for this domain.


Log in to reply