Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    two pfsense boxes

    DHCP and DNS
    3
    10
    114
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jurajt last edited by jurajt

      So I have two pfsense boxes in production and they respond to DNS queries for local resources differently:

      box1 - a resolver for subdomain1 - returns "could not find host" to a query for an made-up hostname
      box2 - a resolver for subdomain2 - (apparently) forwards the query upstream to public server and returns the wildcard address associated with our domain (*.domain.com)

      checked the config on both, seems identical.
      can anyone provide a tip, how is this feature ("Don't forward local domains") managed by DNS Resolver (unbound)? i see it present in DNS Forwarder's (dnsmasq) configuration, but can't find any mention of this feature related to DNS resolver.
      thanks!

      1 Reply Last reply Reply Quote 0
      • J
        jurajt last edited by jurajt

        this is frustrating. i've been trying to pust for 30 minutes, constantly getting "Post content was flagged as spam by Akismet.com"

        finally managed somehow to put the post here, but.. can ANYONE please explain to me, what is spammy about the follwing title:
        "two pfsense boxes - each resolving local dns queries differently"

        ??

        1 Reply Last reply Reply Quote 0
        • J
          jurajt last edited by jurajt

          *bump* anyone pls?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann last edited by

            On the System > General Setup page check the "Domain" and "DNS Servers" settings.
            pfSense requests the DNS servers stated there if it couldn't resolve the hostname itself.

            1 Reply Last reply Reply Quote 0
            • J
              jurajt last edited by

              thx for trying to help, @viragomann

              settings in there are the same (except for domain, which is different, but still it's a private subdomain, so it shouldn't matter, right?), yet it still behaves differently.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by johnpoz

                Is your zone set to transparent? And other set to static?

                zones.jpg

                Believe the default is transparent - I always change to static.

                https://nlnetlabs.nl/documentation/unbound/unbound.conf/

                            static
                                 If  there  is a match from local data, the query is answered.
                                 Otherwise, the query is answered  with  nodata  or  nxdomain.
                                 For  a  negative  answer  a  SOA is included in the answer if
                                 present as local-data for the zone apex domain.
                
                            transparent
                                 If there is a match from local data, the query  is  answered.
                                 Otherwise  if  the  query  has a different name, the query is
                                 resolved normally.  If the query  is  for  a  name  given  in
                                 localdata  but  no  such  type of data is given in localdata,
                                 then a noerror nodata answer is returned.  If  no  local-zone
                                 is  given  local-data causes a transparent zone to be created
                                 by default.
                
                            typetransparent
                                 If there is a match from local data, the query  is  answered.
                                 If  the  query  is for a different name, or for the same name
                                 but for a different type, the  query  is  resolved  normally.
                                 So,  similar  to transparent but types that are not listed in
                                 local data are resolved normally, so if an A record is in the
                                 local  data  that  does  not  cause  a  nodata reply for AAAA
                                 queries.
                

                Example you look up host.yourlocaldomain.tld and that has a record, you get an answer... But if you ask for other.yourlocaldomain.tld and there is no record, then it will try and resolve that... This would explain why you get back some other IP if your domain your using locally is public out there, and they have say a wildcard setup. So even if other. doesn't exist you get returned a response.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                1 Reply Last reply Reply Quote 0
                • J
                  jurajt last edited by

                  @johnpoz, both boxes are configured with transparent domain. the subdomains are not listed in public DNS.
                  based on what you say, i'd expect both boxes to return the IP address of the public *.domain.com record. however, one returnes the *.domain.com IP, and the other returns NXDOMAIN.

                  that's why i'm inquiring about how the functionality actually works, since the (seemingly) equally configured boxes return different results :/

                  thx for the help, anyway..

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    So these are 2 different pfsense, and you doing the queries how exactly - directly to the pfsense IP? You state they have 2 different domains.

                    pfsense1 domainX.tld
                    pfsense2 domainY.tld

                    are you doing queries direct to 1 asking for X, and 2 asking for Y.

                    Or are you asking 1 asking for something in the Y domain?

                    If your set to transparent and you ask for something that is not local, then yes it will try and resolve it.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                    1 Reply Last reply Reply Quote 0
                    • J
                      jurajt last edited by

                      i would GLADLY post the command output, but my post keeps being denied as "marked as spam by akismet".

                      i'll try differently:

                      i have domain.com and 2 sites. each site has it's own subdomain. each subdomain has a pf box to resolved it's DNS queries.
                      i'm querying each pf box with a made-up hostname in the respective subdomain. one of the boxes keeps querying public servers, the other one doesn't.

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by johnpoz

                        Well that is what would happen if transparent... if one is failing is because it tried to resolve normally and it failed.

                        PM me the details of domains and example what you queried that did not fail on one, etc

                        local domain sub.domain.tld, transparent. And you query something.sub.domain.tld and no record of that locally then it will try and resolve that normally.. Which may or maynot get you a response.

                        If you do not want anything to be resolved normally in this domain your using locally then you would set the zone type to static.

                        Using a domain locally that is public as well can lead to unwanted sort of responses.. Especially if you do not control the public NS for this domain.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post