Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Workaround] DNS Resolver - Domain Overrides

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      Budykiller
      last edited by

      Hello,

      I have a working LAN to LAN IPSec Tunnel between a PfSense router and a Draytek one on the other side.

      I would like that all my lan clients connected to the PFSENSE box with DHCP could resolve my servers hostnames. Those servers are physically located on the other side, in another network range.
      I can ping them, but not with their hostname.

      For this example, let's say my domain name is test.com.

      I set up my DHCP server on the PfSense box with these DNS IP :

      • 192.168.1.254 (self address of PfSense LAN interface)
      • XXX.XXX.XXX.XXX (public IP DNS of my Internet provider)
      • XXX.XXX.XXX.XXX (second IP DNS of my Internet provider)

      Also, some additionnal config :

      • domain name : test.com
      • search list : test.com

      In the resolver configuration, i've tried to use the "domain override" option but it doesn't seems to work. Clients are not able to resolve my servers names.
      The config was :
      DOMAIN : test.com    –--  IP Address : 192.168.0.1

      I've removed everything to use the "advanced option" instead, but the Unbound service doesn't start anymore with a "could not enter zone test.com transparent", "duplicate local-zone" entries in log file.

      I would like my clients to be able to resolve their IP address with their machines names in their own network (thanks to the help of the PFSense Box with DHCP Server), but also resolve others machines located through the VPN tunnel and for which, my Active Directory DNS who knows them has the IP Address 192.168.0.1.

      Here's my config

      ##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 1
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
use-caps-for-id: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0
interface-automatic: yes

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf

# Unbound custom options
private-domain: "test.com"
local-zone: "test.com" redirect
local-data: "test.com A 192.168.0.1"

###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

      Thanks everyone for the help. I read many articles and posts but nothing on that "duplicate local-zone".

      1 Reply Last reply Reply Quote 0
      • M Offline
        muswellhillbilly
        last edited by

        Your AD clients should be using the Windows DC as their primary DNS server only. Set the Windows DNS server to use the pfSense as a forwarder and don't bother with the override.

        1 Reply Last reply Reply Quote 0
        • B Offline
          Budykiller
          last edited by

          Thanks for your answer muswellhillbilly.

          Actually, the problem is more on the pfsense side. All my LAN clients within the HQ don't need to resolve the machines behind the pfsense box in the other branch office.
          But clients on the PFsense box need to resolve my servers hostnames.

          Anyway, I read everywhere that we should not use DNS Forwarder but Resolver instead. I give it a try though and guess what, it works flawlessly.
          I can resolve my servers hostnames, and nslookup for everything related to the internet is way faster than with DNS resolver.

          For youtube.com and famous others names, I used to have:

          • timeout for 2 seconds
          • timeout for 2 seconds
          • RESULTS

          Now with DNS Forwarder it's quick.

          DNS Resolver worked partialy because when I set one of my server hostname in the "HOST OVERRIDE" section, my clients could resolve the name. But oddly, if I set a domain override, it doesn't work anymore.

          I'm wondering if DNS Resolver and IPSEC tunnel are working together ? Because for the domain override, it needs to send the query to my PDC in another subnet accross the VPN tunnel. It should know the route with the routing table, but in reality it kind of struggle. Or at least, I didn't get something.

          Anyway, DNS Forwarder is my way to go now.
          Hope it helps someone else.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.