Dnsmasq/dns forwarder extra options



  • Hi all, I want to add the following options to the dns forwarder in pfsense 2.0.3

    
       domain=mylan.lan
       server=/dev/172.25.25.56
       local=/mylan.lan/
       expand-hosts
       strict-order
       bogus-nxdomain=67.215.65.132
    
    

    I have put them into the advanced box in dns forwarder (minus line 1 and line 3), however they have no effect.  If I do a "dig myweb.dev"  the request does not goes to the specified server 172.25.25.56.

    How do I do this correctly.

    Thanks.



  • You restarted the DNS forwarder? or rebooted the system?



  • @wallabybob:

    You restarted the DNS forwarder? or rebooted the system?

    Yes I have.

    I have now readjusted my advanced back to

    
    strict-order
    server=/dev/172.25.25.56
    local=/mylan.lan/
    expand-hosts
    domain=mylan.lan
    bogus-nxdomain=67.215.65.132
    
    

    Now I think that the advanced box is indeed working because if I put in the "bogus-nxdomain=67.215.65.132" when I do a ping on a mysite.dev then I get a "ping: unknown host mysite.dev"

    If I take it out and ping mysite.dev then I get a ping reply from "67.215.65.132" which is one of openDNS's catch  alls.

    BUT somehow "server=/dev/172.25.25.56" this line is not working as expected and I am not sure why.

    I know my dns at that location is up because if i do a "dig @172.25.25.56 mysite.dev"  I get the reading I would expect to have also got for a "dig mysite.dev".

    Is there something I am missing perhaps?

    P.S.  Previously this is what I would have also had in the advanced dnsmasq box of ddwrt.  So I don't know if there is a difference in syntax between pfsense and ddwrt although dnsmasq is dnsmasq



  • Hi again.

    I found a work-around.

    On the same page at the bottom is a place called DNS Overrides whose description is:

    Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain.
    

    So I set my internal authoritative nameserver for the .dev domain there and it now seems to give me that missing dnsmasq functionality in pfsense back.



  • As you have found, the server directive for DNSmasq is written from the domain overrides section in pfSense. So you don't (can't effectively) put that in the advanced box also.



  • @phil.davis:

    As you have found, the server directive for DNSmasq is written from the domain overrides section in pfSense. So you don't (can't effectively) put that in the advanced box also.

    Do you know which of the below directives are written for dnsmasq from various other parts of pfsense?

    
    strict-order
    local=/mylan.lan/
    expand-hosts
    domain=mylan.lan ; is this system -> general setup -> Domain?
    dhcp-authoritative
    bogus-nxdomain=67.215.65.132
    
    


  • From /etc/inc/services.inc services_dnsmasq_configure():
    The following 3 default values can be overridden successfully in the Advanced box:

    	// hard coded args: will be removed to avoid duplication if specified in custom_options
    	$standard_args = array(
    		"dns-forward-max" => "--dns-forward-max=5000",
    		"cache-size" => "--cache-size=10000",
    		"local-ttl" => "--local-ttl=1"
    	);
    

    These things are set in dnsmasq if the corresponding box is selected/filled-in in the GUI:

    --port=
    --listen-address=
    --bind-interfaces
    --server=/10.in-addr.arpa/   ... (a list of private reverse lookup blackholes when no_private_reverse is enabled)
    --server= ... domain overrides
    --strict-order
    --domain-needed
    --rebind-localhost-ok
    --stop-dns-rebind
    --all-servers
    

    The code in services.inc is easy enough to read. You can see there exactly which GUI box corresponds to which parameter.
    Edit add: The items in this second list are not checked against what is entered in the Advanced box. Stuff in the Advanced box must NOT have the "–" specified. The "--" is automatically prepended by the code that implements the advanced settings. Therefore you SHOULD be able to put "server=" clauses in the advanced box and they would add to the domain overrides specified on the GUI - you would have to test that to confirm it really works.



  • @phil.davis:

    From /etc/inc/services.inc services_dnsmasq_configure():

    Thanks.
    This is good so even if I put the –server=/a/b directive in the advanced box pfsense will strip it out and no harm done.



  • I realize this is a little belated, and it may be specific to 2.0.1 …

    Technically Phil.Davis, you are both right and wrong ... Thanks to your hint about the services.inc file, I read the code, and I noticed that it created two separate commands for each domainoverride ... it created both a "--server=/domain/ip" and "--rebind-domain-ok=/domain/" entries ... without the "rebind-domain-ok=" then pfsense ignores the "server=" to protect against dns poisoning ... (It is noted in the DNSMasq that it is inadvisable to use "rebind_domain_ok=" due to security issues, but that's a different argument)

    So I tested it, and was able to confirm (at least with 2.0.1) you can use the "server=/domain/ip" command in the advanced option box, if it is followed by "rebind-domain-ok=/domain/"

    eg:

    server=/domain/192.168.0.1
    server=/domain/192.168.0.2
    rebind-domain-ok=/domain/

    @



  • @albrandwood:

    So I tested it, and was able to confirm (at least with 2.0.1) you can use the "server=/domain/ip" command in the advanced option box, if it is followed by "rebind-domain-ok=/domain/"

    eg:

    server=/domain/192.168.0.1
    server=/domain/192.168.0.2
    rebind-domain-ok=/domain/

    @

    Did this actually work? Specifically, does this actually properly allow /domain/ to resolve DNS entries via either of 192.168.0.1 or 192.168.0.2 - so that your domain overrides are not 'single point of failure'?


Log in to reply