DNS Resolver vs. DNS Forwarder question

aram535

I have a semi-complex DNS setup and I'm trying to add my 3100 (23.09-RELEASE) as a forwarder for internal devices.

I'm running PiHole (#53) and Bind9 (#5353) as it's forwarder. Bind has the master zone for my internal domain and is only accessible from the local PiHole. (There are also a duplicate set as slave and PiHole Sync).

System > General > DNS Server -> 192.168.1.3, 192.168.1.2

I tried setting up DNS Forwarder (which is really all I need) but it doesn't seem to be forwarding the request. I also tried the DNS Resolver to see if I was misunderstanding their differences and it's doing the same thing.

Enable DNS Forwarder

Query DNS Servers sequentially

Port 53, ALL Internfaces

Strict Binding

netgate pfsense - 192.168.1.1
pihole - 192.168.1.3

$ dig +short @192.168.1.1 yahoo.com
74.6.143.25
74.6.143.26
74.6.231.20
74.6.231.21
98.137.11.163
98.137.11.164
$ dig +short @192.168.1.1 gw.basement.lab
$ dig +short @192.168.1.3 yahoo.com
74.6.231.21
74.6.231.20
74.6.143.25
74.6.143.26
98.137.11.164
98.137.11.163
$ dig +short @192.168.1.3 gw.basement.lab
192.168.1.1

P.S. I don't think it makes a difference but I do have a firewall wall rule disallowing 53/853 outbound from the network unless the request comes from the PiHole server.

SteveITS

@aram535 gw.basement.lab is presumably a private IP? See https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

aram535

@SteveITS Thank you. Yes it's an internal RFC1918.

I did add the rebind-domain-ok=/basement.lab/ to the custom configuration and apply the changes however it is still not responding to DNS queries.

Is it TLD aware? because it's going out to the root servers.

$ dig +all @192.168.1.1 gw.basement.lab

; <<>> DiG 9.18.19-1+ubuntu20.04.1+isc+1-Ubuntu <<>> +all @192.168.1.1 gw.basement.lab
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23076
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f60947a4e1374fb701000000661b8ca4d7a146d0b883f233 (good)
;; QUESTION SECTION:
;gw.basement.lab.               IN      A

;; AUTHORITY SECTION:
.                       10682   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024041400 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Sun Apr 14 03:58:28 EDT 2024
;; MSG SIZE  rcvd: 147

I tried turning on and off the forwarding options but that seems to be for reverse and not A lookup.

Query DNS Servers Sequentially

Require Domain

Do not forward private reverse lookups

$ dig +all @192.168.1.1 gw.basement.lab A

; <<>> DiG 9.18.19-1+ubuntu20.04.1+isc+1-Ubuntu <<>> +all @192.168.1.1 gw.basement.lab A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51621
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 73c9b90c3a598fa601000000661b8caacbe1565215ddedce (good)
;; QUESTION SECTION:
;gw.basement.lab.               IN      A

;; AUTHORITY SECTION:
.                       10676   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024041400 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Sun Apr 14 03:58:34 EDT 2024
;; MSG SIZE  rcvd: 147

SteveITS

@aram535 said in DNS Resolver vs. DNS Forwarder question:

did add the rebind-domain-ok=/basement.lab/ to the custom configuration

I have not used Forwarder as it was replaced by Resolver a long time ago. I know it works in Resolver:

server:
private-domain: "basement.lab"

Resolver can be set to forward as well, but if you do that disable the DNSSEC option, since DNSSEC is handled by the forwarder.

aram535

@SteveITS Thanks for that. I switched over to the Resolver added the private-domain setting but it's still going out to the root servers.

192.168.1.3 is the internal master (pihole)

Listen on port 53

Enable SSL/TLS Service

All interfaces
All Outgoing interfaces

Strict Outgoing Network interface binding

System Domain Local Zone Type: Transparent

DNSSEC

DNS Query Forwarding

Use SSL/TLS for outgoing

Customer Options:

server: 
private-domain: basement.lab

Via dig:

$ dig +noall +auth @192.168.1.1 gw.basement.lab A
.                       10527   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2024041600 1800 900 604800 86400
$ dig +short @192.168.1.3 gw.basement.lab A
192.168.1.1

I'll add this as well, if I use Diagnostics -> DNS Lookup
gw.basement.lab resolves fine, so netgate can reach the DNS server and query it without issue.

viragomann

@aram535 said in DNS Resolver vs. DNS Forwarder question:

Customer Options:

server:
private-domain: basement.lab

Should look like this:

server:
private-domain: "basement.lab"

Did you disable DNSSEC?
Otherwise also add

domain-insecure: "basement.lab"

aram535

@viragomann said in DNS Resolver vs. DNS Forwarder question:

Did you disable DNSSEC?

Yes

from my previous post:

DNSSEC

quoting the value and adding the private-insecure did not change anything. It still queries the root TLD.

Gertjan

@aram535 said in DNS Resolver vs. DNS Forwarder question:

Is it TLD aware

unbound, out of the box, is a resolver.
So, yes, it has these DNS Root name server build into the program. The IP (v4 and v6) of these 13 root servers never change, as they are the foundation of the entire 'Internet DNS' system.
One, two, or more might be down for maintenance, or cable broken, or whatever other peering reasons, as long as one of them works, your DNS works.

That said, if you are forwarding, your not using these root servers, neither TLDs (who give info about dot com dot orh dot net dot etc), but some other remote DNS resolver(s) you've specified here :

( I've none, as none are needed to make DNS work - you know why now )

Most common are 8.8.8.8, 1.1.1.1 9.9.9.9 etc.

I'm curious : how do you know that unbound, while in Forwarding mode, is still using the root servers ?

ahking19

I'm running PiHole (#53) and Bind9 (#5353) as it's forwarder. <<

So DNS request flow is:
Client --> unbound --> PiHole --> Bind

Why the extra step of using unbound on pfSense? Why not hand out PiHole address to DHCP clients directly?

Also isn't the unbound cache going to affect the PiHole requests reporting?

aram535

@ahking19 There are 7 VLANS that I'd like to be use pihole, but I don't want to expose the pihole directly on every VLAN. Using the netgate as the the DHCP and DNS would just be easier. I don't care about the reporting of pihole.