Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound forward-zone not working properly?

    DHCP and DNS
    4
    6
    4.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alex Atkin UK
      last edited by

      I am new to pfSense so have been trying to replicate my old OpenWRT configuration.

      I have mostly gotten it sorted except I hit a snag with Unbound.

      Firstly, the web UI is unable to add domain overrides except if you are pointing to a primary server.

      So I eventually realised I needed to add forward-zone rules in the advanced configuration.  Except, it still doesn't work in the way the Unbound documents claim it does.

      I use Unotelly and redirect just Netflix queries to their DNS, so I get quick response on everything else and do not have to trust them with my online banking DNS.  The rules I used were:

      forward-zone:
              name: "netflix.com"
              forward-addr: 176.58.107.53
      forward-zone:
              name: "netflix.co.uk"
              forward-addr: 176.58.107.53
      forward-zone:
              name: "netflix.net"
              forward-addr: 176.58.107.53
      forward-zone:
              name: "nflxvideo.net"
              forward-addr: 176.58.107.53
      forward-zone:
              name: "unotelly.com"
              forward-addr: 176.58.107.53

      That worked for streaming devices, but www.netflix.com would fail DNS lookup.  In fact, all subdomains would fail which is odd as the Unbound documentation would suggest its supposed to be a catch-all rule.

      When requested directly from 176.58.107.53 or with dnsmasq in place, the host lookup gives me this and everything works perfectly:

      host www.netflix.com
      www.netflix.com is an alias for www.netflix.com.netflix-cluster.unostructure.com.
      www.netflix.com.netflix-cluster.unostructure.com has address 173.208.224.45
      www.netflix.com.netflix-cluster.unostructure.com has address 107.167.89.172
      www.netflix.com.netflix-cluster.unostructure.com has address 69.197.152.44
      www.netflix.com.netflix-cluster.unostructure.com has address 98.142.141.44
      www.netflix.com.netflix-cluster.unostructure.com has address 63.143.56.125
      Host www.netflix.com.netflix-cluster.unostructure.com not found: 3(NXDOMAIN)
      Host www.netflix.com.netflix-cluster.unostructure.com not found: 3(NXDOMAIN)

      1 Reply Last reply Reply Quote 0
      • S
        sgw
        last edited by

        I also notice that adding "Domain Overrides" does not work here.
        My intention: I run IPSEC VPNs to several customers and want to query their internal DNS instead of the (external) DNS of my internet provider.

        Unfortunately that does not work for me.
        I run pfsense 2.2.3 on an ALIX board, for reference.

        I can "dig @customerdns $fqdn" successfully from my desktop machine.
        But "dig @pfsenseIP  $fqdn" does not return anything.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          @sgw:

          My intention: I run IPSEC VPNs to several customers and want to query their internal DNS instead of the (external) DNS of my internet provider.
          I can "dig @customerdns $fqdn" successfully from my desktop machine.
          But "dig @pfsenseIP  $fqdn" does not return anything.

          This has nothing to do with the OP. If you want to query their internal DNS, then query that DNS and not pfSense.

          https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

          1 Reply Last reply Reply Quote 0
          • S
            sgw
            last edited by

            @doktornotor:

            This has nothing to do with the OP. If you want to query their internal DNS, then query that DNS and not pfSense.

            So DNS Overrides do not work for DNS-servers "behind" IPSEC tunnels?
            Thanks for the link, I will try that now …

            EDIT: I added the additional gateway as mentioned in the link ... and static routes. DNS overrides work now, but this somehow conflicts with the routes set up by IPSEC. I get problems pinging them now.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              @sgw:

              EDIT: I added the additional gateway as mentioned in the link … and static routes. DNS overrides work now, but this somehow conflicts with the routes set up by IPSEC. I get problems pinging them now.

              If you really need something like this, I'd frankly suggest to either point LAN clients to the proper place directly or use OpenVPN. I'm tired of debugging IPsec shit.

              1 Reply Last reply Reply Quote 0
              • dennypageD
                dennypage
                last edited by

                Alex, if I understand your original request correctly, you can address this by configuring resolver (unbound) to use the LAN interface as the only outbound interface. You shouldn't need the fake gateway and static routes.

                Note that this will mean all your other DNS packets (to root servers etc.) will be processed via NAT.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.