DNS Search Binding Order - Intranet then Internet
-
In proper configuration I have not <yet> discovered a good guide on proper DNS configuration.
I want to ensure that local users get Intranet DNS resolution (this is via DHCP lease option of local AD server)... but also.. the router itself, and VPN users.
I know that best practice domain names for intranet have moved away from .local construct.. but this is what I have. Lets call it penguinpages.local
My internet domain name is via DDNS service lets call it penguinpages.ddns.edu
Local DNS server 172.16.100.22 ados.penguinpages.local
I want to correct this so later on when I do more with Certs and sign SANS cert with domain / intranet and internet, It will resolve.
I thought the way to fix this was that the DNS search (default of parallel) would be within pfsense of stated IP ( general settings : 172.16.100.22) as well as external DNS that it links to and gets from DHCP on WAN from ISP.
Not sure.. but poked around and thought maybe it was DNS Forwarder presedence
Resolution: change DNS forwarder to enable
Broken..But.. nope.
If someone has some has example or RTFM to where I can read up and correct DNS search paths for internal router, and VPN connected users
THanks,
-
The resolver (Unbound) runs by default rather than the forwarder (DNSmasq) but it can run in forwarding mode.
However that shouldn't be required here. You should be able to enter the host or domain override to the resolver.
If you test in Diag > DNS Lookup you can see all the DNS servers configured and what they are returning.The actual order is determined in System > General setup in 'DNS Resolution Behavior'.
https://docs.netgate.com/pfsense/en/latest/config/general.html#dns-resolution-behaviorSteve
-
I kind of figured as much. Unbound I thought would do parallel search within context of services listed. Ex: Search penguinpages.local (intranet) it would find just in that the DNS SOA for that zone is within the environment and in list.
Host "ados.penguinpages.local" could not be resolved. DNS Lookup Hostname ados.penguinpages.local Timings Name server Query time 127.0.0.1 52 msec 75.75.75.75 119 msec 75.75.76.76 316 msec 172.16.100.22 0 msecThat host .22 is the SOA (windows AD for zone)
So no reason it would / should not get result.
The only DNS I A$$umed I need to setup is intranet system, and then assumed it would append to search list what it got from DHCP on WAN side.
[2.6.0-RELEASE][admin@rt1.penguinpages.local]/root: cat /etc/res resolv.conf resolvconf.conf [2.6.0-RELEASE][admin@rt1.penguinpages.local]/root: cat /etc/resolv.conf nameserver 127.0.0.1 nameserver 75.75.75.75 nameserver 75.75.76.76 nameserver 172.16.100.22 search hsd1.ga.comcast.net. [2.6.0-RELEASE][admin@rt1.penguinpages.local]/root: ping ados.penguinpages.local ping: cannot resolve ados.penguinpages.local: Unknown host [2.6.0-RELEASE][admin@rt1.penguinpages.local]/root: nslookup - 172.16.100.22 > ados Server: 172.16.100.22 Address: 172.16.100.22#53 ** server can't find ados: SERVFAIL > ados.penguinpages.local Server: 172.16.100.22 Address: 172.16.100.22#53 Name: ados.penguinpages.local Address: 172.16.100.22 Name: ados.penguinpages.local Address: 172.16.101.22 Name: ados.penguinpages.local Address: 192.168.10.22 >Seems the base OS when configured to use local DNS did not / does not use the server specified, nor does it set DNS context.
I am sure this is just something I misconfigured, but I followed what seemed logical. Set local DNS server + 8.8.8.8 (google)-> Assume it would then bring those internal to Unbound services.
-
@penguinpages said in DNS Search Binding Order - Intranet then Internet:
Set local DNS server + 8.8.8.8 (google)-> Assume it would
Doesn't work that way..
When you set more than 1 dns on a client, you really have no idea which it might ask. If it asks google for something.local it would get back a NX, and wouldn't ask any other ns it has listed.
btw .local is a horrible choice for a local domain tld.. .local is special use.. don't use it or your going to run into issues.
use home.arpa as you local domain name or whatever.home.arpa etc..
so you would have host.whatever.home.arpa as a fqdn for your local resources or just host.home.arpa, etc.
-
Mmm, either uncheck 'DNS Server Override' and set 'DNS Resolution Behavior' to Use remote.
Or set a domain override for penguinpages.local in Unbound to use the AD server.
Steve
