Unbound domain override to recursive forwarder, and how I got it working.
-
Background information: My home internet connection is IPv6 enabled. My company uses lync with office 365. Microsoft has AAAA records configured for lync but on their end it is disabled for service. This causes lync to take upwards of 10 minutes to log in, and all requests to join lync meetings fail. I tested and determined that blocking AAAA returns to the client fixes the issue, but unbound doesn't seem to have a way to do this on a per domain basis. If I am wrong here and someone finds a solution, please tell me how to specify that only A records should be returned to a client on a domain level basis!
The workaround: I ended up installing bind9 on ubuntu which thankfully already included the –enable-filter-aaaa config option. I configured it as a caching forwarder and tested name resolution to ensure that no AAAA records are returned. I figured it would be as easy as specifying a domain override in the DNS resolver section of pfSense but this was not the case. I would drill against bind and get a result, drill against pfSense and get the right result. I would restart unbound on pfsense and drill against it first and get servfail.
The key to get it working was to configure the domain as a forward-zone under advanced options. By default pfSense uses a stub-zone which seems a bit flaky for some reason or another. Unbound says to use a forward-zone when the server you are forwarding to is a recursive resolver. Everything is working great now and names are being reliably resolved.
forward-zone:
name: "lync.com"
forward-addr: x.x.x.xHoping this helps someone else out, and that we might get some UI options for this type of forwarding configuration in the future.