two pfsense boxes
So I have two pfsense boxes in production and they respond to DNS queries for local resources differently:
box1 - a resolver for subdomain1 - returns "could not find host" to a query for an made-up hostname
box2 - a resolver for subdomain2 - (apparently) forwards the query upstream to public server and returns the wildcard address associated with our domain (*.domain.com)
checked the config on both, seems identical.
can anyone provide a tip, how is this feature ("Don't forward local domains") managed by DNS Resolver (unbound)? i see it present in DNS Forwarder's (dnsmasq) configuration, but can't find any mention of this feature related to DNS resolver.
this is frustrating. i've been trying to pust for 30 minutes, constantly getting "Post content was flagged as spam by Akismet.com"
finally managed somehow to put the post here, but.. can ANYONE please explain to me, what is spammy about the follwing title:
"two pfsense boxes - each resolving local dns queries differently"
*bump* anyone pls?
viragomann last edited by
On the System > General Setup page check the "Domain" and "DNS Servers" settings.
pfSense requests the DNS servers stated there if it couldn't resolve the hostname itself.
thx for trying to help, @viragomann
settings in there are the same (except for domain, which is different, but still it's a private subdomain, so it shouldn't matter, right?), yet it still behaves differently.
Is your zone set to transparent? And other set to static?
Believe the default is transparent - I always change to static.
static If there is a match from local data, the query is answered. Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local-data for the zone apex domain. transparent If there is a match from local data, the query is answered. Otherwise if the query has a different name, the query is resolved normally. If the query is for a name given in localdata but no such type of data is given in localdata, then a noerror nodata answer is returned. If no local-zone is given local-data causes a transparent zone to be created by default. typetransparent If there is a match from local data, the query is answered. If the query is for a different name, or for the same name but for a different type, the query is resolved normally. So, similar to transparent but types that are not listed in local data are resolved normally, so if an A record is in the local data that does not cause a nodata reply for AAAA queries.
Example you look up host.yourlocaldomain.tld and that has a record, you get an answer... But if you ask for other.yourlocaldomain.tld and there is no record, then it will try and resolve that... This would explain why you get back some other IP if your domain your using locally is public out there, and they have say a wildcard setup. So even if other. doesn't exist you get returned a response.
@johnpoz, both boxes are configured with transparent domain. the subdomains are not listed in public DNS.
based on what you say, i'd expect both boxes to return the IP address of the public *.domain.com record. however, one returnes the *.domain.com IP, and the other returns NXDOMAIN.
that's why i'm inquiring about how the functionality actually works, since the (seemingly) equally configured boxes return different results :/
thx for the help, anyway..
So these are 2 different pfsense, and you doing the queries how exactly - directly to the pfsense IP? You state they have 2 different domains.
are you doing queries direct to 1 asking for X, and 2 asking for Y.
Or are you asking 1 asking for something in the Y domain?
If your set to transparent and you ask for something that is not local, then yes it will try and resolve it.
i would GLADLY post the command output, but my post keeps being denied as "marked as spam by akismet".
i'll try differently:
i have domain.com and 2 sites. each site has it's own subdomain. each subdomain has a pf box to resolved it's DNS queries.
i'm querying each pf box with a made-up hostname in the respective subdomain. one of the boxes keeps querying public servers, the other one doesn't.
Well that is what would happen if transparent... if one is failing is because it tried to resolve normally and it failed.
PM me the details of domains and example what you queried that did not fail on one, etc
local domain sub.domain.tld, transparent. And you query something.sub.domain.tld and no record of that locally then it will try and resolve that normally.. Which may or maynot get you a response.
If you do not want anything to be resolved normally in this domain your using locally then you would set the zone type to static.
Using a domain locally that is public as well can lead to unwanted sort of responses.. Especially if you do not control the public NS for this domain.