• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PFSense unable to resolve cloudflare entries when not proxied?

Scheduled Pinned Locked Moved DHCP and DNS
5 Posts 3 Posters 396 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    cromat
    last edited by cromat Jan 10, 2023, 7:32 PM Jan 10, 2023, 7:22 PM

    All I have a DNS registered in cloudflare call it mydomain.net and I have DNS entries for *.mydomain.net that point to a local IP.

    From the machines on my network I can resolve mydomain.net but not anything off the *.mydomain.net. pfSense is my router with DNS Resolver enabled and upstream is pointing at cloudflare DNS.

    My the machines on my network if I do a nslookup testing.mydomain.net 1.1.1.1 it will resolve correclty, but if I omit the DNS server, it goes to the pfsense box and refuses to resolve.

    Using the pfsense DNS Resolver lookup, any subdomain which is "cloudflare proxied" resolved but not just standard DNS records. Off network it resolves fine for example from my office network.

    Am I missing something super obvious?

    NOTE: I do not have any local zone defined, that might be my alternative to fix this but I would really like to understand what obvious bit I'm missing.

    B 1 Reply Last reply Jan 10, 2023, 8:10 PM Reply Quote 0
    • B
      bingo600 @cromat
      last edited by bingo600 Jan 10, 2023, 8:11 PM Jan 10, 2023, 8:10 PM

      @cromat

      I seem to remember unbound would "default" reject rfc1918 answers.

      I think ... Not 100% sure
      You have to add a

      server:
      private-domain: "mydomain.net"

      In the custom options window, in order to get it to accept rfc1918 answers, for that domain.

      It is some unbound tickery that allows those answers

      /Bingo

      If you find my answer useful - Please give the post a 👍 - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

      C 1 Reply Last reply Jan 10, 2023, 8:27 PM Reply Quote 1
      • C
        cromat @bingo600
        last edited by Jan 10, 2023, 8:27 PM

        @bingo600 Thank you so much! This is exactly the problem and with your hint I also found the portion of the documentation I missed.

        For others.
        https://nlnetlabs.nl/documentation/unbound/unbound.conf/

        private-domain: <domain name>
        Allow this domain, and all its subdomains to contain private ad-
        dresses. Give multiple times to allow multiple domain names to
        contain private addresses. Default is none.

        J 1 Reply Last reply Jan 10, 2023, 10:53 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @cromat
          last edited by Jan 10, 2023, 10:53 PM

          @cromat its a really bad idea to put rfc1918 in public dns.. There is a rfc that clearly states it should not be done.

          The whole reason for rebind protection, etc..While your private domain will work, it normally meant when you talking to another local dns and not public dns.

          rfc1918 space does not belong in public domain dns..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          C 1 Reply Last reply Jan 10, 2023, 11:13 PM Reply Quote 0
          • C
            cromat @johnpoz
            last edited by Jan 10, 2023, 11:13 PM

            @johnpoz I know, I just needed to test this out, it will be removed and a local zone will end up being used on the network as an override.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received