Can't get DNS Wildcarding to work properly
-
Hi,
I have been following this doco (https://docs.netgate.com/pfsense/en/latest/services/dns/wildcards.html#dns-resolver-unbound) to configure DNS wildcarding for an app on my internal network and it is not working for me.
I've scanned the forums and I think I am following all the advice that has been previously given so I am at a loss... Any suggestions would be more than welcome. pfSense version is: 2.7.2.Background:
I have an application that sits at the address sno.mydomain.net. mydomain.net is the top-level domain.
I have configured the following in the DNS Resolver:server: local-zone: "apps.sno.mydomain.net" redirect local-zone: "*.apps.sno.mydomain.net" redirect local-data: "*.apps.sno.mydomain.net 3600 IN A 10.10.10.254" local-data: "api.sno.mydomain.net 3600 IN A 10.10.10.254"To be sure I am first flushing the DNS cache on my laptop:
$ sudo systemctl restart systemd-resolved.serviceI then test the DNS resolution as follows. You can see that the api.myomain.net resolves fine, but the wildcard does not.
$ dig api.sno.mydomain.net ; <<>> DiG 9.18.26 <<>> api.sno.mydomain.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38057 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;api.sno.mydomain.net. IN A ;; ANSWER SECTION: api.sno.mydomain.net. 3600 IN A 10.10.10.254 ;; Query time: 1 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Wed Jun 12 22:29:03 AEST 2024 ;; MSG SIZE rcvd: 66Then I test the wildcarded domain:
$ dig test.apps.sno.mydomain.net ; <<>> DiG 9.18.26 <<>> test.apps.sno.mydomain.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;test.apps.sno.mydomain.net. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Wed Jun 12 22:29:10 AEST 2024 ;; MSG SIZE rcvd: 56 -
@bryon
Try this order in the custom options:server: local-zone: "*.apps.sno.mydomain.net" redirect local-data: "*.apps.sno.mydomain.net 3600 IN A 10.10.10.254" local-data: "api.sno.mydomain.net 3600 IN A 10.10.10.254" local-zone: "apps.sno.mydomain.net" redirect -
@viragomann said in Can't get DNS Wildcarding to work properly:
Thanks for the tip. I tried this but without success. Based on my reading of the doco the order is not important. local-zone is always evaluated before local-data and the order is only for readability, but it was worth a shot for sure.
Because apps.sno.mydomain.net is not a url I will ever use I have also tried this configuration without success.
server: local-zone: "*.apps.sno.mydomain.net" redirect local-data: "*.apps.sno.mydomain.net 3600 IN A 10.10.10.254" local-data: "api.sno.mydomain.net 3600 IN A 10.10.10.254"Again, api.sno.mydomain.net resolves just fine but test.apps.sno.mydomain.net does not.
-
@bryon you wouldn't put a * in the zone. nor would you use a . in the front of it.
What exactly are you trying to accomplish exactly?
-
@johnpoz
Thanks. That got it working, but it seems to contradict the doco I found. Everything I have read indicates you need to include the *. in the config. I think I tried every combination but the one you suggested! :)What I am trying to do is have ofSense front a Kubernetes cluster (Single Node OpenShift that is sitting at 10.10.10.254).
There are two ingresses:
The API interface which uses api.<cluster base domain>
The web UI and routes interface/ingress at *.apps.<cluster base domain>The cluster will then handle the internal routing
Question, given there is no use for apps.snd.mydomain.net, can you set up a rule where that specific url will not resolve? I.e. I want *.apps.sno.mydomain.net to resolve, but not apps.sno.mydomain.net
-
@bryon *. is a bind thing, not unbound
Not sure where you were looking but here it is in the pfsense docs
-
@johnpoz Got it. Thanks.
