• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Is it possible to query domain name using outside DNS if using split DNS with Unbound?

Scheduled Pinned Locked Moved DHCP and DNS
16 Posts 4 Posters 781 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    kevdog
    last edited by kevdog Nov 10, 2020, 2:51 AM Nov 10, 2020, 2:50 AM

    I'm using pfSense's unbound resolver.
    I'm also using a split DNS setup with Host Overrides that associate certain Domain Names with LAN address. I'm using Cloudflare as a registrar and have the local domain name listed as a CNAME.

    So just to illustrate an example with base domain name known as domain.com and a subdomain as pfsense.domain.com

    At cloudflare I have entries:

    A domain.com ----> WAN IP address
    CNAME pfsense.domain.com -----> domain.com

    Within pfsense DNS Resolver
    Host Override
    pfsense.domain.com----->10.0.1.1

    From within a LAN located behind pfSense I'd like to perform a DNS lookup that bypasses the DNS resolver. I thought this could be done by specifying a specific DNS server such as:

    nslookup pfsense.domain.com 1.1.1.1
    ---OR----
    dig @8.8.8.8 pfsense.domain.com

    I would have expected in the two lines above, pfsense.domain.com would have resolved to the WAN IP address, however it seems in every case it resolves to the LAN IP address. Is there a way with a firewall rule or other other method to query an outside resolver rather than pfSense's resolver in this case?

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Nov 10, 2020, 3:32 AM

      Are you intercepting dns.. a query direct to 8.8.8.8 would query public dns..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • K
        kevdog
        last edited by kevdog Nov 10, 2020, 5:22 AM Nov 10, 2020, 5:19 AM

        @johnpoz

        Honestly I'm not trying to intercept dns, I'm honestly trying to get soa records for a specific domain from cloudflare needed for the traefik reverse proxy. traefik needs to query the soa records similar to a command such as:

        nslookup -type=soa domain.com 1.1.1.1

        As you're probably aware 1.1.1.1 is intended to query a specific name server.

        If I have the following situation
        pfsense.domain.com --> Listed as Host Override within pfsense

        nslookup -type=soa pfsense.domain.com 1.1.1.1
        
        I'll get the following:
        
        #nslookup -type=soa pfsense.domain.com. 1.1.1.1                                            
        Server:		1.1.1.1
        Address:	1.1.1.1#53
        
        *** Can't find pfsense.domain.com.: No answer
        

        To further elaborate if I have another subdomain pfsense2.domain.com which is also listed at Cloudflare as a CNAME for domain.com and DOES NOT have a Host Override, then the nslookup will succeed. The soa lookup will proceed with either:

        #nslookup -type=soa pfsense2.domain.com. 1.1.1.1
        or
        #nslookup -type=soa pfsense2.domain.com.

        I'm labeling success in this situation like the following:

        nslookup -type=soa pfsense2.domain.com 9.9.9.9
        Server:		9.9.9.9
        Address:	9.9.9.9#53
        
        Non-authoritative answer:
        *** Can't find pfsense2.domain.com: No answer
        
        Authoritative answers can be found from:
        domain.com
        	origin = connie.ns.cloudflare.com
        	mail addr = dns.cloudflare.com
        	serial = 2035664926
        	refresh = 10000
        	retry = 2400
        	expire = 604800
        	minimum = 3600
        

        Specifying the specific DNS server doesn't seem to make a difference either with nslookup or dig.

        What I would like to occur is if nameserver such as 1.1.1.1 is specified the query goes to the named nameserver, however with no nameserver the query is handled by Unbound. I don't believe the current implementation with the Host Override functions like this unfortunately after I've spent time looking at the log files. Perhaps however this behavior could be altered with firewall rules??? Not sure.

        J 1 Reply Last reply Nov 10, 2020, 10:40 AM Reply Quote 0
        • G
          Gertjan
          last edited by Gertjan Nov 10, 2020, 9:14 AM Nov 10, 2020, 6:14 AM

          More is going on with your DNS..

          Because
          207e877b-d26c-43d7-ba4a-765da0b15798-image.png
          is a locally defined host domain name, unbound knows about it.
          It's also normal that the upstream 1.1.1.1 doesn't know what pfsense.domain.com is. But it should know about the SOA of domain.com, that is, if you use a public registered domain name for your local network.

          unbound, the resolver, can resolve something like 'pfsense.domain.com' to a A or AAAA but it has no SOA record, most probably because you didin't define one locally. It's not really playing the role of a authoritative DNS server.

          If your "domain.com" is a registered domain name - using a registrar, a SOA would exist.

          A nslookup (run on a PC on LAN ) asking for the domain SOA (not subdomain !) :

          C:\Users\Gauche>nslookup -type=soa brit-hotel-fumel.net 1.1.1.1
          Serveur :   one.one.one.one
          Address:  1.1.1.1
          
          Réponse ne faisant pas autorité :
          brit-hotel-fumel.net
                  primary name server = ns1.brit-hotel-fumel.net
                  responsible mail addr = postmaster.brit-hotel-fumel.net
                  serial  = 2020050319
                  refresh = 14400 (4 hours)
                  retry   = 3600 (1 hour)
                  expire  = 1209600 (14 days)
                  default TTL = 10800 (3 hours)
          
          

          A dig (on pfSense) gives me an identical, more cryptic :

          dig @1.1.1.1my-registred-local.net SOA +short
          gives me 
          ns1.my-registred-local.net. postmaster.my-registred-local.net. 2020050319 14400 3600 1209600 10800
          

          which is also correct, as "my-registred-local.net" is a domain name I own (rent).

          Also, your 'nslookup' (from PC on LAN) returns :

          Server:		1.1.1.1
          Address:	1.1.1.1#53
          

          mine returns :

          Server:		one.one.one.one
          Address:	1.1.1.1#53
          

          so you can't 'reverse ptr'.

          Reset your DNS settings to default ?!

          edit DNS resolver and SOA records : same question ?

          Btw : Forwarding is useless, something from the past, blows a hole in your 'privacy'.
          Except if you have to communicate your DNS request to an upstream DNS company.

          The Internet is based on a pile of RFC papers. These papers tell you what (DNS) to use so everything works well. pfSense is setup up by default respecting thses RFC's. No where it's stated that you should use some "Fortne 500" company's DNS to make your connection work. That is, you'll be needing an ISP, as being your own ISP probably financially a show-stopper.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @kevdog
            last edited by johnpoz Nov 10, 2020, 10:43 AM Nov 10, 2020, 10:40 AM

            @kevdog said in Is it possible to query domain name using outside DNS if using split DNS with Unbound?:

            Honestly I'm not trying to intercept dns

            My point was - the only way you would not be able to directly query the dns is, you can not talk them - ie blocked either at pfsense or your isp. Or your intercepting traffic either at pfsense or isp.

            If your saying your getting your host override returned - than that says your intercepting it at pfsense.. Or you have your public dns misconfigured with the wrong IP?

            As you're probably aware 1.1.1.1 is intended to query a specific name server.

            Ok ;) hehehehe dude I am well aware of exactly how dns functions ;)

            How about you PM the fqdn your trying to query, if you don't want to post it here - so I can see exactly what public dns says about it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz Nov 10, 2020, 1:19 PM Nov 10, 2020, 1:16 PM

              Ok got your PM.. with your domain.. And don't show anything wrong with it on the public side. Other than cloudflare likes to use invalid serial numbers for their SOA ;)

              Maybe your not understanding me.. Pfsense has nothing to do with you talking to some IP out on the public, be it dns, be it http/https, ssh, sftp, ntp, whatever..

              Unless you blocked it - any client on your network would be able to talk directly to any dns server on the planet.

              If your not able to do a query for your domain for any sort of record directly to say goggle or quad9.. Then either you blocked it in pfsense, or its blocked upstream, or your intercepting traffic dns and sending it local? Which would explain how your getting your local records when your suppose to be asking some external NS.

              Your dig @8.8.8.8 would be direct to that IP and whatever you query you query..

              Here I setup a host override for www.cnn.com to point to 10.11.12.13

              override.png

              If I query that locally - that is what I get.

              C:\>dig www.cnn.com
              
              ; <<>> DiG 9.16.8 <<>> www.cnn.com
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7685
              ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
              
              ;; OPT PSEUDOSECTION:
              ; EDNS: version: 0, flags:; udp: 4096
              ;; QUESTION SECTION:
              ;www.cnn.com.                   IN      A
              
              ;; ANSWER SECTION:
              www.cnn.com.            3600    IN      A       10.11.12.13
              
              ;; Query time: 6 msec
              ;; SERVER: 192.168.3.10#53(192.168.3.10)
              ;; WHEN: Tue Nov 10 07:14:49 Central Standard Time 2020
              ;; MSG SIZE  rcvd: 56
              

              If I query say 8.8.8.8 I get the public..

              C:\>dig @8.8.8.8 www.cnn.com
              
              ; <<>> DiG 9.16.8 <<>> @8.8.8.8 www.cnn.com
              ; (1 server found)
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14646
              ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
              
              ;; OPT PSEUDOSECTION:
              ; EDNS: version: 0, flags:; udp: 512
              ;; QUESTION SECTION:
              ;www.cnn.com.                   IN      A
              
              ;; ANSWER SECTION:
              www.cnn.com.            147     IN      CNAME   turner-tls.map.fastly.net.
              turner-tls.map.fastly.net. 29   IN      A       151.101.1.67
              turner-tls.map.fastly.net. 29   IN      A       151.101.65.67
              turner-tls.map.fastly.net. 29   IN      A       151.101.129.67
              turner-tls.map.fastly.net. 29   IN      A       151.101.193.67
              
              ;; Query time: 32 msec
              ;; SERVER: 8.8.8.8#53(8.8.8.8)
              ;; WHEN: Tue Nov 10 07:15:50 Central Standard Time 2020
              ;; MSG SIZE  rcvd: 143
              

              If your trying to so something that would query unbound.. ie pfsense for that - then yeah you would be back your local host override. If your domain is set as pfsense domain, and you have your zone set as static then looking for something that you don't have a local record for would not look up from public. But the default setting is transparent.. And even if you had a local record for a, but not for soa.. you would be able to look that up as well as long as the domain is not your local zone.

              example - here I can query cnn.com for their soa.

              C:\>dig cnn.com soa
              
              ; <<>> DiG 9.16.8 <<>> cnn.com soa
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7664
              ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
              
              ;; OPT PSEUDOSECTION:
              ; EDNS: version: 0, flags:; udp: 4096
              ;; QUESTION SECTION:
              ;cnn.com.                       IN      SOA
              
              ;; ANSWER SECTION:
              cnn.com.                3600    IN      SOA     ns-47.awsdns-05.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
              
              ;; Query time: 53 msec
              ;; SERVER: 192.168.3.10#53(192.168.3.10)
              ;; WHEN: Tue Nov 10 07:19:11 Central Standard Time 2020
              ;; MSG SIZE  rcvd: 113
              

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              K 1 Reply Last reply Nov 10, 2020, 5:39 PM Reply Quote 0
              • K
                kevdog @johnpoz
                last edited by Nov 10, 2020, 5:39 PM

                @johnpoz

                I tried replying to your thread but my post was flagged as spam... what give??

                B 1 Reply Last reply Nov 10, 2020, 6:00 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Nov 10, 2020, 5:40 PM

                  No idea what you were trying to post?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  K 1 Reply Last reply Nov 10, 2020, 5:48 PM Reply Quote 0
                  • K
                    kevdog @johnpoz
                    last edited by kevdog Nov 10, 2020, 5:54 PM Nov 10, 2020, 5:48 PM

                    @johnpoz

                    Ok basically I had everything typed out and formatted but that was flagged as spam.

                    I created the experiment you had above with the cnn override.

                    ***Due to spam filter on these forums I can't type the actual www address below so to bypass spam filter --- c/n/n=cnn -- sorry about confusion.

                    In both cases of query (dig www.c/n/n.com and dig @8.8.8.8 www.c/n/n.com) it resolved to the local IP address assigned in the override.

                    I've tested this from multiple servers running in different VM's on the LAN and its the same for all.

                    You stated something about dns interception however this has to be at the pfsense level since anything upstream to this would not resolve to the host override. Is there anywhere else in pfsense where the dns would be getting intercepted? I don't have any firewall rules for port 53 in any of the rulesets. I'm really confused.

                    I've also ran the same queries above directly within pfsense -- the queries actually resolve correctly as per your example.

                    1 Reply Last reply Reply Quote 0
                    • B
                      bingo600 @kevdog
                      last edited by Nov 10, 2020, 6:00 PM

                      @kevdog said in Is it possible to query domain name using outside DNS if using split DNS with Unbound?:

                      @johnpoz

                      I tried replying to your thread but my post was flagged as spam... what give??

                      Could that be reputation < 5 ?

                      /Bingo

                      If you find my answer useful - Please give the post a 👍 - "thumbs up"

                      pfSense+ 23.05.1 (ZFS)

                      QOTOM-Q355G4 Quad Lan.
                      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Nov 10, 2020, 6:01 PM

                        pfsense does not do dns redirection unless you specifically set it up.

                        https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

                        What do you have in front of pfsense? Some soho router doing redirection pointing to pfsense for dns? Are you connected wireless to some wifi router behind pfsense, doing redirection?

                        Or wired to some soho router doing it?

                        This isn't rocket since - pfsense run a dns server. Unbound out of the box.. If you create a record locally for www.domain.tld that pints to 192.168.1.100 or something - nothing else would resolve that unless pfsense is asked for that.. If your resolving local IP, then someone you asked pfsense.. How you have your network setup I do not know..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        K 1 Reply Last reply Nov 10, 2020, 6:22 PM Reply Quote 0
                        • K
                          kevdog @johnpoz
                          last edited by Nov 10, 2020, 6:22 PM

                          @johnpoz

                          Hey thanks for at least pointing things out to me -- I really appreciate it since it really made me examine my setup a lot closer.

                          To answer your question directly I have a comcast model that plugs directly into self-built "protectli-type" box. pfsense is virtualized within xcp-ng which works pretty well for home setup.

                          I think however I found the problem after scratching my head for a really long long time. Within pfsense System->Advanced->Firewall & NAT -> Network Address Translation

                          NAT reflection mode for port fowards was set to Pure NAT. After disabling this setting, the queries would resolved appropriately. Strange I didn't think about this before.

                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Nov 10, 2020, 6:28 PM

                            Nat reflection has nothing to do with dns..

                            Nat reflection would be if you hit your wan IP on port X, and you had a port forward setup to forward port X to ip 192.168.1.100

                            That has zero to do with how dns would respond if you ask pfsense or not.. Again if you were doing a directed query to 8.8.8.8, pfsense would have zero to do with that conversation, nor would nat reflection.

                            Unless you had some port forward setup for dns (tcp/upd 53)??

                            Did you setup port forwarding for dns? Or redirection of dns?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            K 1 Reply Last reply Nov 10, 2020, 7:06 PM Reply Quote 0
                            • K
                              kevdog @johnpoz
                              last edited by Nov 10, 2020, 7:06 PM

                              @johnpoz

                              Bubble burst

                              Screen Shot 2020-11-10 at 1.05.29 PM.png

                              I'm assuming this is the culprit right here as you suspected

                              1 Reply Last reply Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz Nov 10, 2020, 7:16 PM Nov 10, 2020, 7:13 PM

                                Why would you setup a rule like that - makes zero sense.. For starter why would anything be hitting your wan but not to any of your firewall IPs?

                                For the life of me - can not figure out what that rule would do.. There should be nothing hitting your wan on 53, but not directed to your wan IP.. What are you wan firewall rules?

                                But yes if some traffic came into your wan interface for say 8.8.8.8 (not a firewall IP) it would be forwarded to loopback.. If your wan firewall rules allowed it, or some floating rule did. And then yes that would return whatever host override you had setup. etc..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                K 1 Reply Last reply Nov 10, 2020, 8:25 PM Reply Quote 0
                                • K
                                  kevdog @johnpoz
                                  last edited by Nov 10, 2020, 8:25 PM

                                  @johnpoz

                                  Yea - I get it. They don't make much sense -- I've definitely had to either drop some of the NAT and Firewall rules for not making sense. Bottom line was the NAT rules was redirecting all port 53 requests to pfsense which was intercepting all the outgoing traffic.

                                  Thanks a lot for your help on this issue.

                                  1 Reply Last reply Reply Quote 0
                                  1 out of 16
                                  • First post
                                    1/16
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                    This community forum collects and processes your personal information.
                                    consent.not_received