Unbound + search domain

  • Seems like unbound is the new default for pfsense, so how to setup unbound that it resolves local hostnames by adding the local domain and forward the request to a remote server?

    nslookup hostname always gives me an "non-existent domain" error. even if i set the domain in System > General Setup > Domain and all clients get the domain via DHCP.

    nslookup hostname.mydomain.com only works, if i go to Services > DNS Resolver > Domain Overrides and set an override for my local domain to lookup a remote server - otherwise i get the "non-existent domain" error.

    I guess the problem is, that even if i login to the pfsense machine via ssh and try it there, it doesn't resolve without domain. So how to set the search domain for unbound? ususally i would edit /etc/resolv.conf but it seems strange to me to edit a system file for such a common option.

  • LAYER 8 Global Moderator

    your search domain would be set on your client..

    C:>nslookup storage
    Server:  pfSense.local.lan

    Name:    storage.local.lan

    so my clients domain is in local.lan  so when I do a nslookup for just storage it adds the domain local.lan

    Windows IP Configuration
    Ethernet adapter Local:

    Connection-specific DNS Suffix  . : local.lan
      IPv4 Address. . . . . . . . . . . :
      Subnet Mask . . . . . . . . . . . :
      Default Gateway . . . . . . . . . :

    If your domain in question is authoritative on some other server in your network, then yes you would do a domain over ride in unbound to tell it where to go to look up your domain

  • our domain is public and serves local adresses for some hostnames. Let's say our domain is galaxy.com and if I or you or anybody else looks up sun.galaxy.com, it would answer while www.galaxy.com returns the IP of a rented root server.

    Ethernet-Adapter LAN-Verbindung:
       Verbindungsspezifisches DNS-Suffix: galaxy.com
       IPv4-Adresse  . . . . . . . . . . :
       Subnetzmaske  . . . . . . . . . . :
       Standardgateway . . . . . . . . . :
    C:\>nslookup sun
    Server:  firewall.galaxy.com
    *** sun wurde von firewall.galaxy.com nicht gefunden: Non-existent domain.
    C:\>nslookup sun.galaxy.com
    Server:  firewall.galaxy.com
    Nicht autorisierende Antwort:
    Name:    sun.galaxy.com

    And if i wouldn't set Services > DNS resolver > Domain Overrides > for "galaxy.com" to use "" (or any other public DNS server), it wouldn't even resolv the fqdn sun.galaxy.com

    It's just a guess, but does pfSense has a problem to lookup/forward a domain onto a remote server if it has been set as local domain?

  • LAYER 8 Global Moderator

    serving up rfc1918 from a public domain is BROKEN configuration plain and simple..

    Your clearly going to run into rebinding protection problems doing that.  And its just BAD idea all the way around..

    You need to serve up your rfc1918 space from local servers..

  • so it would be ok to enter them in the host override config of pfsense and remove them from the public DNS server? would that work?

  • LAYER 8 Global Moderator

    yup that would work for sure..

Log in to reply