Resolver works but not nslookup on PC

McMurphy

I have the Resolver working resolving local hostnames over a VPN connection
01.04.2024_20.30.35_REC.png

The PCs are set to use pfSense for DNS (192.168.2.254) however nslookup on the PC fails to resolve
01.04.2024_20.35.39_REC.png

As can be seen above the hostname can be resolved if I manually specify the DNS server 100.96.1.1 in nslookup

I have disabled the resolver rebind protection for the domain
01.04.2024_20.39.18_REC.png

Gertjan

@McMurphy

So "100.96.1.1" knows who "nsmrd101" is.
Is "192.168.2.54" asking "100.96.1.1" ?

Switch unbound/resolver to debug query (3 - or higher ?) level to see what happens.
It's forwarding to "100.96.1.1" ?

McMurphy

@Gertjan

Extracted the following from the Resolver log.

I cannot post the log here as it gets flagged as Spam?

Resolver Log.txt

McMurphy

@Gertjan

Interesting...

I swapped from the Resolver (in forward mode) to the Forwarder and it resolves perfectly.

johnpoz

@McMurphy have we not been over this multiple times already?

You need to do a fqdn lookup.. This what you queried for

Apr 1 22:00:42 unbound 86364 [86364:0] info: processQueryTargets: nsmrd101.mydomain.local. A IN

That is a horrible choice for a local domain.. .local is for mdns, you shouldn't be using it as your actual tld.

Did you uncheck do dnssec, because the forwarder wouldn't be doing dnssec so that is possible reason you got an answer?

At a complete loss to why you would think you should need to obfuscate mydomain.local

Your previous posts were sure not about mydomain.local.

McMurphy

@johnpoz said in Resolver works but not nslookup on PC:

@McMurphy have we not been over this multiple times already?

Quite possibly. All making more send now.

You need to do a fqdn lookup.. This what you queried for

Apr 1 22:00:42 unbound 86364 [86364:0] info: processQueryTargets: nsmrd101.mydomain.local. A IN

That is a horrible choice for a local domain.. .local is for mdns, you shouldn't be using it as your actual tld.

Not my choice. I inherited it.

Did you uncheck do dnssec, because the forwarder wouldn't be doing dnssec so that is possible reason you got an answer?

Bingo. Disabled DNSSEC and it now works with the forwarder. Ty.

At a complete loss to why you would think you should need to obfuscate mydomain.local

I could edit the text in the log text to change the domain name but unable to do so in the screenshots. It is .local though.

Your previous posts were sure not about mydomain.local.

johnpoz

@McMurphy said in Resolver works but not nslookup on PC:

Not my choice. I inherited it.

Well change it.. .local is mdns.. Trying to use it as your normal domain in actual dns can be problematic. The domain of choice currently is home.arpa, .internal is soon to be approved from my understanding... So you could use like mydomain.internal, or just home.arpa or mydomain.home.arpa