Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TXT record not resolving using DNS Resolver

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    5
    909
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sionicion
      last edited by

      So I'm trying to use cert-manager to issue certs for my domain and when the system is behind my pfsense DNS server, it can't resolve the TXT record.

      It can resolve a TXT record I make in the CloudFlare DNS console, which is odd, but it won't resolve whatever cert-manager adds. The same TXT record can resolve on a system not using the pfsense DNS resolver.

      I do have firewall rules to prevent any system from using anything except my DNS server.

      I think the real question is why is it specifically not propagating this record, but like is there a way to reduce the cache or something? The problem is I have pfblockerng enabled so I kinda need the DNS resolver enabled.

      Also another reason I'd like it enabled is I was going to add DNS entries pointing to the local IPs so when I access the site locally, it doesn't reach out to the Internet unnecessarily.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @sionicion
        last edited by johnpoz

        Huh? What does the cert manager have to do with a TXT record?

        You can not create TXT records in the gui of unbound.. You have to use custom option box with the local-data

        Notice the single and double quotes

        text.png

        but it won't resolve whatever cert-manager adds

        Cert manager would never add a TXT record to unbound.. Are you using the ACME package to try and get a cert?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        S 1 Reply Last reply Reply Quote 0
        • S
          sionicion @johnpoz
          last edited by

          @johnpoz I'm not using pfsense to obtain the certs. I'm running cert-manager in a Kubernetes cluster behind pfsense. cert-manager is able to successfully add the TXT record to CloudFlare, but inside my network (behind pfsense DNS server) I cannot resolve the TXT record. In a separate subnet not restricted to the pfsense DNS server and running a DNS server such as 1.1.1.1, the system can resolve the TXT record. It's specifically any system behind the pfsense DNS server, they can't resolve the TXT record that cert-manager is setting.

          If I was to manually add a TXT record to CloudFlare using their website, I can resolve that TXT record behind pfsense DNS. It's odd. So my current workaround is to allow computers in my homelab subnet use external DNS servers, and certs are issued successfully. It's just not what I want to do.

          kiokomanK 1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8 @sionicion
            last edited by

            @sionicion
            did you restart unbound after adding the txt ? maybe it's the cache

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @kiokoman
              last edited by

              So you mean you running cert manger from ACME.. On some box behind pfsense.. So this has zero to do with pfsense at all. Its not the cert manager in pfsense.

              You can have issues with that and cache as @kiokoman mentioned..

              If your wanting to renew your acme certs with client behind pfsense, and your pointing to pfsense for dns.. Then yeah you could have cached the old entry, what ttl do you have set for those records?

              I was having an sim issue with the dns-cloudflare settings even on the acme package on pfsense. I ended up setting the dns timeout to 180 and this seems to have corrected the problem..

              So you could try updating the dns time out setting on your client.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post