Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN address returned for unknow hostnames

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 701 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meisner
      last edited by

      I apologize up front if this has been asked & answered already, but I could not find it after hours of searching (although I am starting to breeze over articles now from fatigue).

      pfSense Version 22.01-RELEASE (amd64)
      DNS Resolver enabled
      example domain name: test.org
      DHCP Server enabled
      Not using pi.hole or AdGuard ... DNS and DHCP services provided only by pfSense

      Everything is working just find except for one annoyance. If I perform an nslookup for an entry that does not exist (such as qqqqq.test.org) I always get back the WAN address (instead of nslookup: can't resolve 'qqqqq.test.org') . I understand why this is happening, but how do you keep queries for the local domain from being forwarded to the "upstream" DNS servers? I have a wildcard for my domain, so everything is getting resolved to my WAN upstream.

      In testing just now (to write this post), I learned I also get my own WAN address if I do nslookup x.google.com.

      This is really annoying when you try to access a host configured for DHCP that is down. The WAN address is always returned.

      M 1 Reply Last reply Reply Quote 0
      • M
        meisner @meisner
        last edited by

        I am surprised after posting this 2 days ago and ~30 views no one else has seen this issue or has any thoughts on how to correct the behavior. Am I really alone with this?

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @meisner
          last edited by johnpoz

          @meisner I had not seen this post until now.. If your using the same domain locally as publicly, which not a fan of at all. But if your going to do that, you would want to set the zone to static vs transparent.

          In transparent which is the default, if someone asks for qqqq.test.org and there is no local resource then it will resolve via public dns. If you have a wild card then yeah that is exactly what would happen.

                  static
                       If  there  is a match from local data, the query is answered.
                       Otherwise, the query is answered  with  nodata  or  nxdomain.
                       For  a  negative  answer  a  SOA is included in the answer if
                       present as local-data for the zone apex domain.
          
                  transparent
                       If there is a match from local data, the query  is  answered.
                       Otherwise if the query has a different name, the query is re-
                       solved normally.  If the query is for a name given in  local-
                       data  but  no such type of data is given in localdata, then a
                       noerror nodata answer is returned.  If no local-zone is given
                       local-data  causes  a  transparent  zone to be created by de-
                       fault.
          

          I have mine set to static, because there is zero point to try and public resolve anything.local.lan which is what I am using for my local domain, because it would never resolve - so no reason to send say a typo on my part outbound to the roots, etc.

          unbound.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          M 1 Reply Last reply Reply Quote 0
          • M
            meisner @johnpoz
            last edited by

            @johnpoz Thank you so much for the quick and informative reply!!!!!

            I just set mode to static and it works perfectly. When setting this up, I read the description provided in the UI, and it didn't seem to matter for my installation. So I left it as Transparent.

            pfSense is absolutely great! But, there are so many settings (which allows you do so much), you need a solid education in every aspect of firewalls/routers/DNS/DHCP/etc to get everything right.

            Like I said, I love pfSense .,.. it can be tough to navigate everything though.

            Thanks again!!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.