Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Forwarder, Sub-domains, and IPv6

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digm
      last edited by

      I'm running into a problem where certain applications are requesting IPv6 DNS records for hosts. So for example, if I try to connect to a web server on my network using Google Chrome with a hostname of host1.subdomain.domain.com, it fails because it looks up the IPv6 host record, which points to a host that is not on a sub-domain (e.g., host1234.domain.com).

      myboxen:~ $ host host1.subdomain.domain.com
      host1.subdomain.domain.com has address 172.25.1.3 <– IPv4 address resolved by DNS forwarder
      host1.subdomain.domain.com is an alias for host1234.domain.com. <-- Looking up the IPv6 address?
      host1.subdomain.domain.com is an alias for host1234.domain.com. <-- Looking up the IPv6 address?

      My goal is to have pfSense exclusively resolve requests to subdomain.domain.com and not pass those onto another DNS server externally. So what should happen is that host1.subdomain.domain.com should fail on IPv6 and only return the IPv4 address of 172.25.1.3. But I can't seem to figure out how to configure pfSense so that it works this way.

      Interally, my domain name is subdomain.domain.com. I have pfSense configured with the DNS forwarder. I also have static host overrides configured that map IP addresses to hostnames in the DNS forwarder.

      Has anyone encountered this issue before. I'd certainly appreciate any suggestions you might have. Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        It seems like you need the DNS Forwarder to be "authoritative" for subdomain.domain.com - you don't want it to refer queries (which come from your LAN side only) for that domain to anywhere else.
        Normally I would add a domain override which would refer unknown names in that domain to a local authoritative DNS server on the LAN (e.g. an internal AD Windows Server running DNS). That prevents any of those names from being referred upstream to the default DNS servers out in internet-land.
        Maybe you can add a domain override that points to a non-existent LAN IP address, so it will always fail. If DNS Forwarder already has all the names and IPv4 addresses that people care about in *.subdomain.domain.com then it will answer all these immediately. Only requests for mis-typed names will be referred to the "black hole" and suffer a time-out delay before being answered in the negative.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • D
          digm
          last edited by

          Thanks Phil, that pointed me in the right direction. The solution was to add the following line to the advanced options of the DNS Forwarder configuraitn page:

          local=/subdomain.domain.com/

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.