Domain Overrides Unbound Fails, Dnsmasq Works



  • Hi,

    I've moved from pfSense 2.1 to pfSense 2.2. As an experiment, I replicated across all my settings from the DNS Forwarder (dnsmasq) configuration to DNS Resolver (unbound) configuration. I then shutdown my DNS Forwarder and started up DNS Resolver, thus using unbound. All seemed to work except my Override Domain setting.

    In DNS Forwarder, I have:

    Domain: foo.bar.net
    IP Address: 10.0.1.4
    Source IP: 192.168.1.1

    In DNS Resolver, I have:

    Domain: foo.bar.net
    IP Address: 10.0.1.4

    (there is no entry to set Source IP in DNS Resolver).

    With DNS Forwarder (unbound) enabled and DNS Resolver (dnsmasq) disabled:

    
    $ dig test.foo.bar.net
    
    ; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> test.foo.bar.net
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16374
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;foo.bar.net. IN	 A
    
    ;; Query time: 13 msec
    ;; SERVER: 192.168.20.1#53(192.168.20.1)
    ;; WHEN: Tue Feb 10 10:46:05 GMT 2015
    ;; MSG SIZE  rcvd: 64
    
    

    With DNS Forwarder (unbound) disabled, and DNS Resolver (dnsmasq) enabled:

    
    $ dig foo.bar.net
    
    ; <<>> DiG 9.9.5-4.3ubuntu0.1-Ubuntu <<>> foo.bar.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54648
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;foo.bar.net. IN A
    
    ;; ANSWER SECTION:
    foo.bar.net. 43200	IN A 10.0.10.30
    
    ;; AUTHORITY SECTION:
    foo.bar.net. 43200 IN	NS	ns1.foo.bar.net.
    
    ;; ADDITIONAL SECTION:
    ns1.foo.bar.net. 43200 IN	A	10.0.1.4
    
    ;; Query time: 86 msec
    ;; SERVER: 192.168.20.1#53(192.168.20.1)
    ;; WHEN: Tue Feb 10 11:14:47 GMT 2015
    ;; MSG SIZE  rcvd: 119
    [code]
    
    It seems to me, that with the same configuration (with a cavet, see next sentence), using unbound to perform a domain override doesn't appear to work! The only difference I can see is that with DNS Forwarder, I have to set a source IP (192.168.1.1) for it to work, whereas on DNS Resolver I have no option to do so.
    
    Anyone got any similar experience or a suggestion on what I'm doing incorrectly with Unbound?
    
    Thank you
    
    -=david=-[/code]
    

  • Banned

    Unbound is resolver, NOT forwarder… Plus test.foo.bar.net is not the same thing like foo.bar.net



  • Hi,

    I don't follow. Doesn't the webgui have:

    DNS Query Forwarding (which I have ticked)

    for the unbound configuration, which seems to suggest that it does allow forwarding.

    Plus, if unbound doesn't do forwarding, then why have domain overrides with the text "Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain."

    Surely it (unbound) would query my upstream DNS to resolve the query?

    -=david=-


  • Banned

    Dude, you have override for foo.bar.net and are digging test.foo.bar.net and wondering why you get nothing and draw the conclusion that unbound fails? Sigh. Layer 8 issue.

    Wrt the forwarder/resolver, I've been referring to this

    With DNS Forwarder (unbound) disabled, and DNS Resolver (dnsmasq) enabled:

    You got that the other way round.



  • You have an internal DNS server that serves names in foo.bar.net and that server is at 10.0.1.4 - all good and normal.
    But to reach it, the requests to it have to come from source IP 192.168.1.1 (which is presumably an interface IP on your pfSense). If the source IP is not provided, then the request might go out an OpenVPN site-to-site link, using the IP of your end of the link. If the internal DNS server does not know how to route back to that site-to-site tunnel IP then big problem.
    That is why the source IP thing is in DNS Forwarder. Unfortunately there is no such beast in Unbound DNS Resolver.
    Possible ways to achieve success discussed here: https://forum.pfsense.org/index.php?topic=84184.0



  • Hi Phil,

    Thank you very much for your gracious answer :-). This makes perfect sense and something for me to look into when I have a bit more time. I've switched back to using dnsmasq for the moment :-)

    -=david=-



  • I had a similar situation here, on 2.1.5 i ran dnsmasq, and all went well with resolving, to internet and to my two connected vpn sites. When i upgraded to 2.2 and unbound came in sight, it didn't function anymore.
    The clue is in the outbound interface (as stated in the post: https://forum.pfsense.org/index.php?topic=84184.0 )
    When you want to resolve certain domain overrides who are connected by vpn the outgoing interface has to be part of your vpn domain ( e.g. your lan interface )