DNS Forwarder returns internal A record, but also external CNAME
-
I've got several local records set up in the DNS forwarder on my pfSense box, running 1.2.3. When I query the forwarder, I get the (correct) internal A record, but I also get the CNAME records from outside, which makes accessing internal services a little inconsistent.
In the example shown in the screenshots, the record "vox.baz.org" has an internal A record on the DNS forwarder, and CNAME records in the zone served externally. When I run "host -v vox.baz.org" I get the following back from the DNS forwarder on the pfSense machine:
Trying "vox.baz.org" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49541 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;vox.baz.org. IN A ;; ANSWER SECTION: vox.baz.org. 0 IN A 172.17.1.12 Received 45 bytes from 172.17.1.1#53 in 2 ms Trying "vox.baz.org" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27151 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;vox.baz.org. IN AAAA ;; ANSWER SECTION: vox.baz.org. 81989 IN CNAME baz.is-a-geek.net. ;; AUTHORITY SECTION: is-a-geek.net. 1562 IN SOA ns1.dyndns.org. hostmaster.dyndns.org. 2011252371 10800 1800 604800 1800 Received 118 bytes from 172.17.1.1#53 in 20 ms Trying "vox.baz.org" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19973 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;vox.baz.org. IN MX ;; ANSWER SECTION: vox.baz.org. 81989 IN CNAME baz.is-a-geek.net. ;; AUTHORITY SECTION: is-a-geek.net. 1562 IN SOA ns1.dyndns.org. hostmaster.dyndns.org. 2011252371 10800 1800 604800 1800 Received 118 bytes from 172.17.1.1#53 in 18 ms
Seems like it should just return the A record, no? As memory serves, I believe this behavior cropped up when I upgraded to 1.2.3.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.