two pfsense boxes

jurajt

So I have two pfsense boxes in production and they respond to DNS queries for local resources differently:

box1 - a resolver for subdomain1 - returns "could not find host" to a query for an made-up hostname
box2 - a resolver for subdomain2 - (apparently) forwards the query upstream to public server and returns the wildcard address associated with our domain (*.domain.com)

checked the config on both, seems identical.
can anyone provide a tip, how is this feature ("Don't forward local domains") managed by DNS Resolver (unbound)? i see it present in DNS Forwarder's (dnsmasq) configuration, but can't find any mention of this feature related to DNS resolver.
thanks!

jurajt

this is frustrating. i've been trying to pust for 30 minutes, constantly getting "Post content was flagged as spam by Akismet.com"

finally managed somehow to put the post here, but.. can ANYONE please explain to me, what is spammy about the follwing title:
"two pfsense boxes - each resolving local dns queries differently"

??

jurajt

*bump* anyone pls?

viragomann

On the System > General Setup page check the "Domain" and "DNS Servers" settings.
pfSense requests the DNS servers stated there if it couldn't resolve the hostname itself.

jurajt

thx for trying to help, @viragomann

settings in there are the same (except for domain, which is different, but still it's a private subdomain, so it shouldn't matter, right?), yet it still behaves differently.

johnpoz

Is your zone set to transparent? And other set to static?

Believe the default is transparent - I always change to static.

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

            static
                 If  there  is a match from local data, the query is answered.
                 Otherwise, the query is answered  with  nodata  or  nxdomain.
                 For  a  negative  answer  a  SOA is included in the answer if
                 present as local-data for the zone apex domain.

            transparent
                 If there is a match from local data, the query  is  answered.
                 Otherwise  if  the  query  has a different name, the query is
                 resolved normally.  If the query  is  for  a  name  given  in
                 localdata  but  no  such  type of data is given in localdata,
                 then a noerror nodata answer is returned.  If  no  local-zone
                 is  given  local-data causes a transparent zone to be created
                 by default.

            typetransparent
                 If there is a match from local data, the query  is  answered.
                 If  the  query  is for a different name, or for the same name
                 but for a different type, the  query  is  resolved  normally.
                 So,  similar  to transparent but types that are not listed in
                 local data are resolved normally, so if an A record is in the
                 local  data  that  does  not  cause  a  nodata reply for AAAA
                 queries.

Example you look up host.yourlocaldomain.tld and that has a record, you get an answer... But if you ask for other.yourlocaldomain.tld and there is no record, then it will try and resolve that... This would explain why you get back some other IP if your domain your using locally is public out there, and they have say a wildcard setup. So even if other. doesn't exist you get returned a response.

jurajt

@johnpoz, both boxes are configured with transparent domain. the subdomains are not listed in public DNS.
based on what you say, i'd expect both boxes to return the IP address of the public *.domain.com record. however, one returnes the *.domain.com IP, and the other returns NXDOMAIN.

that's why i'm inquiring about how the functionality actually works, since the (seemingly) equally configured boxes return different results :/

thx for the help, anyway..

johnpoz

So these are 2 different pfsense, and you doing the queries how exactly - directly to the pfsense IP? You state they have 2 different domains.

pfsense1 domainX.tld
pfsense2 domainY.tld

are you doing queries direct to 1 asking for X, and 2 asking for Y.

Or are you asking 1 asking for something in the Y domain?

If your set to transparent and you ask for something that is not local, then yes it will try and resolve it.

jurajt

i would GLADLY post the command output, but my post keeps being denied as "marked as spam by akismet".

i'll try differently:

i have domain.com and 2 sites. each site has it's own subdomain. each subdomain has a pf box to resolved it's DNS queries.
i'm querying each pf box with a made-up hostname in the respective subdomain. one of the boxes keeps querying public servers, the other one doesn't.

johnpoz

Well that is what would happen if transparent... if one is failing is because it tried to resolve normally and it failed.

PM me the details of domains and example what you queried that did not fail on one, etc

local domain sub.domain.tld, transparent. And you query something.sub.domain.tld and no record of that locally then it will try and resolve that normally.. Which may or maynot get you a response.

If you do not want anything to be resolved normally in this domain your using locally then you would set the zone type to static.

Using a domain locally that is public as well can lead to unwanted sort of responses.. Especially if you do not control the public NS for this domain.