Only query external DNS after internal fails?

Zotan

Is there a way to ensure that the DNS forwarder does not forward queries to the external DNS unless internal lookup has failed? I'm using pfsense+ 23.05.1 with the DNS forwarder

I have a host which is registered with the DNS forwarder via a DHCP static mapping to a local address and I'm usually getting the wrong answer from DNS for it, let's call it host-a.domain.com, the failure appears to happen because DNS is querying both internal and external sources and returns a combination of the result which is wrong.

Externally we have a public IP registered in the external DNS which maps to host-b which we port forward. Externally the name host-a is an alias of host-b. When I do an internal lookup for host-a it appears to see that host-a is an alias of host-b and returns the internal IP for host-b which is wrong.

Sometimes the right address is returned, but it's less than 10% of the time.

viragomann

@Zotan said in Only query external DNS after internal fails?:

I have a host which is registered with the DNS forwarder via a DHCP static mapping to a local address

I guess, you're talking about a host override?

and I'm usually getting the wrong answer from DNS for it, let's call it host-a.domain.com, the failure appears to happen because DNS is querying both internal and external sources and returns a combination of the result which is wrong.

Are you sure, that the client is requesting pfSense?
Maybe it does DoH or requests a public DNS directly instead. You can try to block both.

Just do a nslookup or dig to verify, which server is responding and which IP you get.

If a requested host name matches the host override pfSense will not forward the request to a public server, but responses itself.

johnpoz

@Zotan said in Only query external DNS after internal fails?:

does not forward queries to the external DNS unless internal lookup has failed

This would be static zone vs transparent zone.

say you use domain.tld as your local domain that also has public records. if you look up host.domain.tld and there is a local record for host then that is what will be returned. But you look up say otherthing.domain.tld and there is no local record for this then with transparent it will ask the public dns either via resolving or forwarding.

With static zone type it will not.

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

        static
             If  there  is a match from local data, the query is answered.
             Otherwise, the query is answered  with  nodata  or  nxdomain.
             For  a  negative  answer  a  SOA is included in the answer if
             present as local-data for the zone apex domain.

        transparent
             If there is a match from local data, the query  is  answered.
             Otherwise if the query has a different name, the query is re-
             solved normally.  If the query is for a name given in  local-
             data  but  no such type of data is given in localdata, then a
             noerror nodata answer is returned.  If no local-zone is given
             local-data  causes  a  transparent  zone to be created by default

I have my zone set to static, not because I use the same domain public and local - because there would be zero point to do external query for anything in my zone that is not local, because it is not a public domain so why send noise to the internet.

viragomann

@johnpoz said in Only query external DNS after internal fails?:

This would be static zone vs transparent zone.

In the DNS forwarder?

But true, I was wondering that he is using the forwarder, which is not the default.

johnpoz

@viragomann no that would be in unbound. Unbound can be used as a forwarder vs resolver. The setting would work in either mode. I am not sure if such a setting exists for dnsmasq, have not used since unbound was just a package in pfsense.

Zotan

@viragomann said in Only query external DNS after internal fails?:

@Zotan said in Only query external DNS after internal fails?:

I have a host which is registered with the DNS forwarder via a DHCP static mapping to a local address

I guess, you're talking about a host override?

No, I have "Register DHCP static mappings in DNS forwarder" set, there isn't a host override for this host.

Are you sure, that the client is requesting pfSense?
Maybe it does DoH or requests a public DNS directly instead. You can try to block both.

Just do a nslookup or dig to verify, which server is responding and which IP you get.

If a requested host name matches the host override pfSense will not forward the request to a public server, but responses itself.

Yes, if I use nslookup <host> <DNS forwarder> I see the same behaviour.

Zotan

I've just added a Host override for host-a, applied it and I'm still getting the problem:

> nslookup host-a 192.168.10.1
Server:         192.168.10.1
Address:        192.168.10.1#53

Name:   host-a.domain
Address: 192.168.11.108
host-a.domain canonical name = host-b.domain

This time the IP is correct, but it still thinks it's an alias. This could be a cached result.

johnpoz

@Zotan I really don't think that sort of setting of transparent or static is possible in dnsmasq (the forwarder).. Maybe in advanced option, but I just looked there is no gui setting to do it like in unbound.

Best fix to be honest is not use the same domain locally that you do on the public, then you never have to worry. The current best practice for local domain is to use home.arpa

This is a special domain designed for local use only, there will never be a public domain.. I am in the middle of transition between my old local.lan and home.arpa - just moving stuff over as the certs expire, or I fill like doing a change over. My nas is on the new domain, and few other hosts, etc.

Zotan

@johnpoz We've managed to get some more IP addresses so our plan is to stop using CNAMEs on public addresses. Hopefully that will change things for the better. Thanks.