• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

TXT record not resolving using DNS Resolver

Scheduled Pinned Locked Moved DHCP and DNS
5 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sionicion
    last edited by Dec 5, 2020, 3:18 PM

    So I'm trying to use cert-manager to issue certs for my domain and when the system is behind my pfsense DNS server, it can't resolve the TXT record.

    It can resolve a TXT record I make in the CloudFlare DNS console, which is odd, but it won't resolve whatever cert-manager adds. The same TXT record can resolve on a system not using the pfsense DNS resolver.

    I do have firewall rules to prevent any system from using anything except my DNS server.

    I think the real question is why is it specifically not propagating this record, but like is there a way to reduce the cache or something? The problem is I have pfblockerng enabled so I kinda need the DNS resolver enabled.

    Also another reason I'd like it enabled is I was going to add DNS entries pointing to the local IPs so when I access the site locally, it doesn't reach out to the Internet unnecessarily.

    J 1 Reply Last reply Dec 5, 2020, 3:49 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @sionicion
      last edited by johnpoz Dec 5, 2020, 3:51 PM Dec 5, 2020, 3:49 PM

      Huh? What does the cert manager have to do with a TXT record?

      You can not create TXT records in the gui of unbound.. You have to use custom option box with the local-data

      Notice the single and double quotes

      text.png

      but it won't resolve whatever cert-manager adds

      Cert manager would never add a TXT record to unbound.. Are you using the ACME package to try and get a cert?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      S 1 Reply Last reply Dec 5, 2020, 7:35 PM Reply Quote 0
      • S
        sionicion @johnpoz
        last edited by Dec 5, 2020, 7:35 PM

        @johnpoz I'm not using pfsense to obtain the certs. I'm running cert-manager in a Kubernetes cluster behind pfsense. cert-manager is able to successfully add the TXT record to CloudFlare, but inside my network (behind pfsense DNS server) I cannot resolve the TXT record. In a separate subnet not restricted to the pfsense DNS server and running a DNS server such as 1.1.1.1, the system can resolve the TXT record. It's specifically any system behind the pfsense DNS server, they can't resolve the TXT record that cert-manager is setting.

        If I was to manually add a TXT record to CloudFlare using their website, I can resolve that TXT record behind pfsense DNS. It's odd. So my current workaround is to allow computers in my homelab subnet use external DNS servers, and certs are issued successfully. It's just not what I want to do.

        K 1 Reply Last reply Dec 5, 2020, 7:53 PM Reply Quote 0
        • K
          kiokoman LAYER 8 @sionicion
          last edited by Dec 5, 2020, 7:53 PM

          @sionicion
          did you restart unbound after adding the txt ? maybe it's the cache

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          J 1 Reply Last reply Dec 5, 2020, 8:19 PM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @kiokoman
            last edited by Dec 5, 2020, 8:19 PM

            So you mean you running cert manger from ACME.. On some box behind pfsense.. So this has zero to do with pfsense at all. Its not the cert manager in pfsense.

            You can have issues with that and cache as @kiokoman mentioned..

            If your wanting to renew your acme certs with client behind pfsense, and your pointing to pfsense for dns.. Then yeah you could have cached the old entry, what ttl do you have set for those records?

            I was having an sim issue with the dns-cloudflare settings even on the acme package on pfsense. I ended up setting the dns timeout to 180 and this seems to have corrected the problem..

            So you could try updating the dns time out setting on your client.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received