WAN address returned for unknow hostnames

meisner

I apologize up front if this has been asked & answered already, but I could not find it after hours of searching (although I am starting to breeze over articles now from fatigue).

pfSense Version 22.01-RELEASE (amd64)
DNS Resolver enabled
example domain name: test.org
DHCP Server enabled
Not using pi.hole or AdGuard ... DNS and DHCP services provided only by pfSense

Everything is working just find except for one annoyance. If I perform an nslookup for an entry that does not exist (such as qqqqq.test.org) I always get back the WAN address (instead of nslookup: can't resolve 'qqqqq.test.org') . I understand why this is happening, but how do you keep queries for the local domain from being forwarded to the "upstream" DNS servers? I have a wildcard for my domain, so everything is getting resolved to my WAN upstream.

In testing just now (to write this post), I learned I also get my own WAN address if I do nslookup x.google.com.

This is really annoying when you try to access a host configured for DHCP that is down. The WAN address is always returned.

meisner

I am surprised after posting this 2 days ago and ~30 views no one else has seen this issue or has any thoughts on how to correct the behavior. Am I really alone with this?

johnpoz

@meisner I had not seen this post until now.. If your using the same domain locally as publicly, which not a fan of at all. But if your going to do that, you would want to set the zone to static vs transparent.

In transparent which is the default, if someone asks for qqqq.test.org and there is no local resource then it will resolve via public dns. If you have a wild card then yeah that is exactly what would happen.

        static
             If  there  is a match from local data, the query is answered.
             Otherwise, the query is answered  with  nodata  or  nxdomain.
             For  a  negative  answer  a  SOA is included in the answer if
             present as local-data for the zone apex domain.

        transparent
             If there is a match from local data, the query  is  answered.
             Otherwise if the query has a different name, the query is re-
             solved normally.  If the query is for a name given in  local-
             data  but  no such type of data is given in localdata, then a
             noerror nodata answer is returned.  If no local-zone is given
             local-data  causes  a  transparent  zone to be created by de-
             fault.

I have mine set to static, because there is zero point to try and public resolve anything.local.lan which is what I am using for my local domain, because it would never resolve - so no reason to send say a typo on my part outbound to the roots, etc.

meisner

@johnpoz Thank you so much for the quick and informative reply!!!!!

I just set mode to static and it works perfectly. When setting this up, I read the description provided in the UI, and it didn't seem to matter for my installation. So I left it as Transparent.

pfSense is absolutely great! But, there are so many settings (which allows you do so much), you need a solid education in every aspect of firewalls/routers/DNS/DHCP/etc to get everything right.

Like I said, I love pfSense .,.. it can be tough to navigate everything though.

Thanks again!!