WAN address returned for unknow hostnames
-
I apologize up front if this has been asked & answered already, but I could not find it after hours of searching (although I am starting to breeze over articles now from fatigue).
pfSense Version 22.01-RELEASE (amd64)
DNS Resolver enabled
example domain name:test.org
DHCP Server enabled
Not using pi.hole or AdGuard ... DNS and DHCP services provided only by pfSenseEverything is working just find except for one annoyance. If I perform an nslookup for an entry that does not exist (such as
qqqqq.test.org
) I always get back the WAN address (instead ofnslookup: can't resolve 'qqqqq.test.org'
) . I understand why this is happening, but how do you keep queries for the local domain from being forwarded to the "upstream" DNS servers? I have a wildcard for my domain, so everything is getting resolved to my WAN upstream.In testing just now (to write this post), I learned I also get my own WAN address if I do
nslookup x.google.com
.This is really annoying when you try to access a host configured for DHCP that is down. The WAN address is always returned.
-
I am surprised after posting this 2 days ago and ~30 views no one else has seen this issue or has any thoughts on how to correct the behavior. Am I really alone with this?
-
@meisner I had not seen this post until now.. If your using the same domain locally as publicly, which not a fan of at all. But if your going to do that, you would want to set the zone to static vs transparent.
In transparent which is the default, if someone asks for qqqq.test.org and there is no local resource then it will resolve via public dns. If you have a wild card then yeah that is exactly what would happen.
static If there is a match from local data, the query is answered. Otherwise, the query is answered with nodata or nxdomain. For a negative answer a SOA is included in the answer if present as local-data for the zone apex domain. transparent If there is a match from local data, the query is answered. Otherwise if the query has a different name, the query is re- solved normally. If the query is for a name given in local- data but no such type of data is given in localdata, then a noerror nodata answer is returned. If no local-zone is given local-data causes a transparent zone to be created by de- fault.
I have mine set to static, because there is zero point to try and public resolve anything.local.lan which is what I am using for my local domain, because it would never resolve - so no reason to send say a typo on my part outbound to the roots, etc.
-
@johnpoz Thank you so much for the quick and informative reply!!!!!
I just set mode to static and it works perfectly. When setting this up, I read the description provided in the UI, and it didn't seem to matter for my installation. So I left it as Transparent.
pfSense is absolutely great! But, there are so many settings (which allows you do so much), you need a solid education in every aspect of firewalls/routers/DNS/DHCP/etc to get everything right.
Like I said, I love pfSense .,.. it can be tough to navigate everything though.
Thanks again!!