Question about DNS

Making_sense_of_pfSense

Hi. I have a small issue, no big deal, but it got me wondering, so I'm asking here.

My Nextcloud server has lately been giving me errors like this, a few times a day.

[PHP] Error:
dns_get_record():
DNS Query failed at /usr/local/www/nextcloud/lib/private/Http/Client/DnsPinMiddleware.php#83
at 2021-11-09T03:35:23+01:00

Looking at my PiHole query logs at that exact time, my Nextcloud server (10.0.0.174) tried to resolve apps.nextcloud.com.

My question is: why did it ask for apps.nextcloud.com.lan?
My /etc/resolv.conf file reads search lan.
apps.nextcloud.com doesn't have a CNAME record.
Could that be the reason why it tried adding the lan suffix?
But aren't those domain search suffixes supposed to be added only when asking for hostnames without dots?
By the way, Nextcloud is in a jail in TrueNAS 12 (FreeBSD 12) and Pihole is in a Debian VM on TrueNAS 12.
Thanks!

johnpoz

@making_sense_of_pfsense no the search suffix can be added on any query..

Making_sense_of_pfSense

Ok, that is good to know.
Still, I don't get why a query for apps.nextcloud.com.lan was made.
And by the way, I just noticed something even more baffling in my Pihole Query log: a DNS lookup for apps.nextcloud.com.lan.lan!

I guess my question, more in general, is under what circumstances is a new DNS lookup made by adding the suffix?
Thanks.

johnpoz

@making_sense_of_pfsense said in Question about DNS:

is under what circumstances is a new DNS lookup made by adding the suffix?

depend on the client..

As to why your phone is doing that - could be it has its local lan setting and and getting it again from dhcp?

you can look to turning off search suffix in your client to prevent such lookups.

example - what its looking for returned a nx, so it tried with the search suffix added (my local domain is local.lan)

What I do help keep noise and unwanted queries from leaving my network is set the zone type to static in unbound. Now any queries does for my domain (local.lan) that do not have local records are just returned nx vs trying to query them from public.

My pihole forwards to unbound on pfsense.

Making_sense_of_pfSense

@johnpoz said in Question about DNS:

As to why your phone is doing that - could be it has its local lan setting and and getting it again from dhcp?

Yes, the lan domain is assigned by the DHCP server, I just wasn't aware that failed DNS lookups of any domain would cause the client to retry with the addition of the domain suffix. I thought it only worked for resolving domains without a dot.

I had to research System Domain Local Zone Type in unbound as I never even questioned the default Transparent setting.
DNS can get very complicated and I'm just a home lab hobbyist so I'm going to set aside the more complicated stuff for my second lifetime!

johnpoz

@making_sense_of_pfsense said in Question about DNS:

DNS can get very complicated

There is way more too it than your typical user normally understands - that is for sure ;) Not sure I would consider it "complex" but sure there is more too it than just look up this, get this IP.. Lots of different record types, forwarding vs resolving, etc. etc.

Chained CNAMES..

But then again I have been working and playing with dns, since it first came out.. And yes it has evolved from its beginnings that is for sure.. Some really slick stuff to be sure.. ecs with edns for example is slick stuff, so is dnssec (shame not fully deployed on every domain)..

A great read, even if latest version is a bit dated is the DNS and BIND book.. If your really looking to get into the weeds with what makes dns tick.

Making_sense_of_pfSense

@johnpoz said in Question about DNS:

A great read, even if latest version is a bit dated is the DNS and BIND book.

Thank you, it looks very interesting! Added to the to-read list!