Unbound + search domain



  • Seems like unbound is the new default for pfsense, so how to setup unbound that it resolves local hostnames by adding the local domain and forward the request to a remote server?

    nslookup hostname 192.168.1.1 always gives me an "non-existent domain" error. even if i set the domain in System > General Setup > Domain and all clients get the domain via DHCP.

    nslookup hostname.mydomain.com 192.168.1.1 only works, if i go to Services > DNS Resolver > Domain Overrides and set an override for my local domain to lookup a remote server - otherwise i get the "non-existent domain" error.

    I guess the problem is, that even if i login to the pfsense machine via ssh and try it there, it doesn't resolve without domain. So how to set the search domain for unbound? ususally i would edit /etc/resolv.conf but it seems strange to me to edit a system file for such a common option.


  • Rebel Alliance Global Moderator

    your search domain would be set on your client..

    C:>nslookup storage
    Server:  pfSense.local.lan
    Address:  192.168.9.253

    Name:    storage.local.lan
    Address:  192.168.9.8

    so my clients domain is in local.lan  so when I do a nslookup for just storage it adds the domain local.lan

    C:>ipconfig
    Windows IP Configuration
    Ethernet adapter Local:

    Connection-specific DNS Suffix  . : local.lan
      IPv4 Address. . . . . . . . . . . : 192.168.9.100
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.9.253

    If your domain in question is authoritative on some other server in your network, then yes you would do a domain over ride in unbound to tell it where to go to look up your domain



  • our domain is public and serves local adresses for some hostnames. Let's say our domain is galaxy.com and if I or you or anybody else looks up sun.galaxy.com, it would answer 192.168.1.5 while www.galaxy.com returns the IP of a rented root server.

    C:\>ipconfig
    
    Windows-IP-Konfiguration
    
    Ethernet-Adapter LAN-Verbindung:
    
       Verbindungsspezifisches DNS-Suffix: galaxy.com
       IPv4-Adresse  . . . . . . . . . . : 192.168.1.127
       Subnetzmaske  . . . . . . . . . . : 255.255.255.0
       Standardgateway . . . . . . . . . : 192.168.1.14
    
    C:\>nslookup sun
    Server:  firewall.galaxy.com
    Address:  192.168.1.1
    
    *** sun wurde von firewall.galaxy.com nicht gefunden: Non-existent domain.
    
    C:\>nslookup sun.galaxy.com
    Server:  firewall.galaxy.com
    Address:  192.168.1.1
    
    Nicht autorisierende Antwort:
    Name:    sun.galaxy.com
    Address:  192.168.1.2
    

    And if i wouldn't set Services > DNS resolver > Domain Overrides > for "galaxy.com" to use "8.8.8.8" (or any other public DNS server), it wouldn't even resolv the fqdn sun.galaxy.com

    It's just a guess, but does pfSense has a problem to lookup/forward a domain onto a remote server if it has been set as local domain?


  • Rebel Alliance Global Moderator

    serving up rfc1918 from a public domain is BROKEN configuration plain and simple..

    Your clearly going to run into rebinding protection problems doing that.  And its just BAD idea all the way around..
    https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

    You need to serve up your rfc1918 space from local servers..



  • so it would be ok to enter them in the host override config of pfsense and remove them from the public DNS server? would that work?


  • Rebel Alliance Global Moderator

    yup that would work for sure..