Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense unable to resolve cloudflare entries when not proxied?

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 3 Posters 396 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cromat
      last edited by cromat

      All I have a DNS registered in cloudflare call it mydomain.net and I have DNS entries for *.mydomain.net that point to a local IP.

      From the machines on my network I can resolve mydomain.net but not anything off the *.mydomain.net. pfSense is my router with DNS Resolver enabled and upstream is pointing at cloudflare DNS.

      My the machines on my network if I do a nslookup testing.mydomain.net 1.1.1.1 it will resolve correclty, but if I omit the DNS server, it goes to the pfsense box and refuses to resolve.

      Using the pfsense DNS Resolver lookup, any subdomain which is "cloudflare proxied" resolved but not just standard DNS records. Off network it resolves fine for example from my office network.

      Am I missing something super obvious?

      NOTE: I do not have any local zone defined, that might be my alternative to fix this but I would really like to understand what obvious bit I'm missing.

      bingo600B 1 Reply Last reply Reply Quote 0
      • bingo600B
        bingo600 @cromat
        last edited by bingo600

        @cromat

        I seem to remember unbound would "default" reject rfc1918 answers.

        I think ... Not 100% sure
        You have to add a

        server:
        private-domain: "mydomain.net"

        In the custom options window, in order to get it to accept rfc1918 answers, for that domain.

        It is some unbound tickery that allows those answers

        /Bingo

        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

        C 1 Reply Last reply Reply Quote 1
        • C
          cromat @bingo600
          last edited by

          @bingo600 Thank you so much! This is exactly the problem and with your hint I also found the portion of the documentation I missed.

          For others.
          https://nlnetlabs.nl/documentation/unbound/unbound.conf/

          private-domain: <domain name>
          Allow this domain, and all its subdomains to contain private ad-
          dresses. Give multiple times to allow multiple domain names to
          contain private addresses. Default is none.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @cromat
            last edited by

            @cromat its a really bad idea to put rfc1918 in public dns.. There is a rfc that clearly states it should not be done.

            The whole reason for rebind protection, etc..While your private domain will work, it normally meant when you talking to another local dns and not public dns.

            rfc1918 space does not belong in public domain dns..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            C 1 Reply Last reply Reply Quote 0
            • C
              cromat @johnpoz
              last edited by

              @johnpoz I know, I just needed to test this out, it will be removed and a local zone will end up being used on the network as an override.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.