[solved] Using one interface for Domain Overrides only?

Bob.Dig · Feb 3, 2025, 2:19 PM

~~I have another router behind pfSense. That router has its own domain name. I do query it from pfSense for this domain name via Domain Overrides in the resolver.~~
But the resolver will also send every DNS query via the interface to that other router, which I don't like.
It seems, I can't block the resolver doing that with firewall rules because you can't block the firewall itself.

~~What are my options within pfSense?~~

Bob.Dig · Feb 3, 2025, 1:33 PM

I guess I solved it by not allowing pfSense to have internet access on that other router.
So at least those querys won't come back into pfSense on that other router's WAN-interface.

Gertjan · Feb 3, 2025, 1:40 PM

@Bob-Dig

Can you specify a different configuration for different interfaces in unbound? ?

johnpoz · Feb 3, 2025, 1:44 PM

@Bob-Dig huh?

If I set an IP internally for a domain override for say somedomain.tld, only queries that are for host.somedomain.tld will be sent there - not all other queries.

Bob.Dig · Feb 3, 2025, 1:52 PM

@Gertjan @johnpoz Yeah, my guess is, you can do a lot with manual unbound config changes but I am more a GUI-type person.

But if you guys want to hand me the answer on a silver platter, I don't say no.

Bob.Dig · Feb 3, 2025, 1:53 PM

@johnpoz said in Using one interface for Domain Overrides only?:

If I set an IP internally for a domain override for say somedomain.tld, only queries that are for host.somedomain.tld will be sent there - not all other queries.

Unbound in pfSense always uses all interfaces (or all that are selected) for upstream querys or what did I miss? My "problem" is that a query also goes through the interface to that other router, then goes out its WAN, which is a LAN of pfSense and so on, I would like to stop this... I kinda did on that other router by not allowing pfSense to have internet access.

johnpoz · Feb 3, 2025, 1:59 PM

@Bob-Dig just because all interfaces are set.. it wouldn't send traffic to some internal IP for google.com - unless that internal IP was also a gateway in your routing.

Bob.Dig · Feb 3, 2025, 2:08 PM

@johnpoz said in Using one interface for Domain Overrides only?:

it wouldn't send traffic to some internal IP for google.com - unless that internal IP was also a gateway in your routing

Interesting. Right now it is set up as a WAN-type interface. I guess I did it for NAT etc. but I can have that without being a WAN-type interface... Thanks John! Makes sense if I think about it.