Prevent External DNS Resolver Queries for Local Domain

  • This is a bit involved to describe so please bear with me.

    System | General Setup | Domain: localdomain
    Services | DNS Resolver: DNSSEC, DHCP Reg, Static DHCP, Advanced: local-zone: home. static
    Services | DNS Services | Domain Name: home
    So all the clients have a DHCP assigned local domain name of home and name resolution works fine and as expected.

    Name resolution for goodhostname.home works without making an external DNS query.  As desired.
    Name resolution for badhostname.home fails without making an external DNS query.  As desired.

    Okay approaching my question…

    Changing System | General Setup | Domain from localdomain to home
    And removing the local-zone: home. static option from DNS Resolver Advanced settings (apparently required or else DNS resolution fails).

    Name resolution still works but now badhostname.home makes an external DNS query.  I believe this is due to the removal of local-zone: home. static from DNS Resolver Advanced settings.
    Was thinking/hopping/expecting that the System | General Setup | Domain being set as home would cover this condition.

    Is there a way to prevent external DNS queries for badhostname.home, where home is the domain configured in System | General Setup | Domain?
    If the local-zone: home. static option is added back into DNS Resolver Advanced settings DNS no longer works.

  • Banned

    What exactly are you sticking in the Advanced Settings? Should be

    local-zone: "home" static

  • @doktornotor:

    What exactly are you sticking in the Advanced Settings? Should be

    local-zone: "home" static

    Same as you indicated except without the quotes and including the trailing dot.

    local-zone: home. static

    It works with the pfSense domain name set as "localdomain".
    But not with pfSense domain name set as "home".

    DHCP is configured to provide all the clients with domain name of "home", so thought it would be nice to have pfSense using the same domain name;  "home" instead of "localdomain".

  • Banned

    So enter what I have written above without any trailing dots. There's definitely no such thing there by default.

  • @doktornotor:

    So enter what I have written above without any trailing dots. There's definitely no such thing there by default.

    Same thing.  If pfSense domain name is set to home, the local-zone: "home" static breaks DNS.
    But removing it so DNS functions, then makes external queries for badhostname.home queries.

    Have tried all 4 permutations of with and without the quotes and trailing dot.

    If the pfSense domain is set as a local-zone it just breaks DNS.

  • Banned

    The long term hint: Stop this BS. Get a proper domain. Use it. Use a subdomain (like, for internal use. Stop inventing nonsense like single-label domains. Chances are high you're gonna hit something that's already in use!

    Other than that, the domain set up via the GUI in System -> General Setup is configured as transparent (see /etc/inc/ and /var/unbound/host_entries.conf). Trying to override it somewhere later probably won't exactly fly.

    Not sure what's "just breaks DNS" here, if you mean that unbound is no longer running after you add something to advanced options, then kindly prefix any stuff there with server: line.

     <blah custom="" config=""><blah more="" custom="" config=""><blah even="" more="" config=""></blah></blah></blah> 

    (unless it's actually something that belongs to different clause than server; RTFM…)

  • LAYER 8 Global Moderator

    I don't understand the fascination with single label domains..  And trying to use home as single label yeah BAD IDEA..  This is open to being a possible public tld

    There is risk with it since is a common private tld, but why don't you just setup a normal domain like dok explained with say something.home if you want..  I personally use local.lan as mine

    So if I can reword your question for you, by default the domain your using for pfsense - in my case local.lan is setup in unbound.conf by pfsense as transparent.  This will send the query on if don't have a record for it in your local data..  So I think your actual question is how to change this from transparent to static or whatever other option like deny etc.. that someone might want to set for their local domain in pfsense.

    As you have noticed and dok clearly states trying to change what is already in the conf with something else is going to cause a problem.

    Example in /var/unbound/host_entries.conf

    I have
    [2.2.3-RELEASE][root@pfSense.local.lan]/root: cat /var/unbound/host_entries.conf
    local-zone: "local.lan" transparent

    So if I try to put
    local-zone: "local.lan" static

    in the advanced custom section of unbound in the gui, that is going to error…

    I am not aware of a way to change in this a gui, but if you want to edit you can change the function that sets that

    function unbound_add_host_entries() {
            global $config, $g;

    $unbound_entries = "local-zone: "{$config['system']['domain']}" transparent\n";

    So for example I did a quick test and changed that to static

    so if I look in
    [2.2.3-RELEASE][root@pfSense.local.lan]/etc/inc: cat /var/unbound/host_entries.conf
    local-zone: "local.lan" static

    And I do a query for somethingdoesntexisit.local.lan I get NX back

    C:>dig notthere.local.lan

    ; <<>> DiG 9.10.2-P1 <<>> notthere.local.lan
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53318
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ; EDNS: version: 0, flags:; udp: 4096
    ;notthere.local.lan.            IN      A

    ;; Query time: 1 msec
    ;; SERVER:
    ;; WHEN: Wed Jul 08 07:22:20 Central Daylight Time 2015
    ;; MSG SIZE  rcvd: 47

    Is this what your trying to accomplish?

  • That is what was needed.  Thanks.

    Now if I could prevent non existent host name only quires from going external too.  (e.g. NonExistentHostName and NonExistentHostName.)

  • LAYER 8 Global Moderator

    with no tld?  What would be generating those queries?

    let me do a simple test on my system, yup seems that gets sent to root and you get bx nx, hmmm let me look into that.  But what would be generating those sorts of queries?

    Off the top you could NOT use
    local-zone: "." static

    Since that would blok everything because you just said root was local and and if you don't have a record for it don't look for it.

  • I know that in DNS Forwarder there was an option not to forward single level queries.  But haven't found anything for that in DNS Resolver.

  • LAYER 8 Global Moderator

    my question is what is generating host only queries?

Log in to reply