DNS Forwarder, Sub-domains, and IPv6

  • I'm running into a problem where certain applications are requesting IPv6 DNS records for hosts. So for example, if I try to connect to a web server on my network using Google Chrome with a hostname of host1.subdomain.domain.com, it fails because it looks up the IPv6 host record, which points to a host that is not on a sub-domain (e.g., host1234.domain.com).

    myboxen:~ $ host host1.subdomain.domain.com
    host1.subdomain.domain.com has address <– IPv4 address resolved by DNS forwarder
    host1.subdomain.domain.com is an alias for host1234.domain.com. <-- Looking up the IPv6 address?
    host1.subdomain.domain.com is an alias for host1234.domain.com. <-- Looking up the IPv6 address?

    My goal is to have pfSense exclusively resolve requests to subdomain.domain.com and not pass those onto another DNS server externally. So what should happen is that host1.subdomain.domain.com should fail on IPv6 and only return the IPv4 address of But I can't seem to figure out how to configure pfSense so that it works this way.

    Interally, my domain name is subdomain.domain.com. I have pfSense configured with the DNS forwarder. I also have static host overrides configured that map IP addresses to hostnames in the DNS forwarder.

    Has anyone encountered this issue before. I'd certainly appreciate any suggestions you might have. Thanks in advance!

  • It seems like you need the DNS Forwarder to be "authoritative" for subdomain.domain.com - you don't want it to refer queries (which come from your LAN side only) for that domain to anywhere else.
    Normally I would add a domain override which would refer unknown names in that domain to a local authoritative DNS server on the LAN (e.g. an internal AD Windows Server running DNS). That prevents any of those names from being referred upstream to the default DNS servers out in internet-land.
    Maybe you can add a domain override that points to a non-existent LAN IP address, so it will always fail. If DNS Forwarder already has all the names and IPv4 addresses that people care about in *.subdomain.domain.com then it will answer all these immediately. Only requests for mis-typed names will be referred to the "black hole" and suffer a time-out delay before being answered in the negative.

  • Thanks Phil, that pointed me in the right direction. The solution was to add the following line to the advanced options of the DNS Forwarder configuraitn page:


Log in to reply