Unbound + search domain
-
Seems like unbound is the new default for pfsense, so how to setup unbound that it resolves local hostnames by adding the local domain and forward the request to a remote server?
nslookup hostname 192.168.1.1 always gives me an "non-existent domain" error. even if i set the domain in System > General Setup > Domain and all clients get the domain via DHCP.
nslookup hostname.mydomain.com 192.168.1.1 only works, if i go to Services > DNS Resolver > Domain Overrides and set an override for my local domain to lookup a remote server - otherwise i get the "non-existent domain" error.
I guess the problem is, that even if i login to the pfsense machine via ssh and try it there, it doesn't resolve without domain. So how to set the search domain for unbound? ususally i would edit /etc/resolv.conf but it seems strange to me to edit a system file for such a common option.
-
your search domain would be set on your client..
C:>nslookup storage
Server: pfSense.local.lan
Address: 192.168.9.253Name: storage.local.lan
Address: 192.168.9.8so my clients domain is in local.lan so when I do a nslookup for just storage it adds the domain local.lan
C:>ipconfig
Windows IP Configuration
Ethernet adapter Local:Connection-specific DNS Suffix . : local.lan
IPv4 Address. . . . . . . . . . . : 192.168.9.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.9.253If your domain in question is authoritative on some other server in your network, then yes you would do a domain over ride in unbound to tell it where to go to look up your domain
-
our domain is public and serves local adresses for some hostnames. Let's say our domain is galaxy.com and if I or you or anybody else looks up sun.galaxy.com, it would answer 192.168.1.5 while www.galaxy.com returns the IP of a rented root server.
C:\>ipconfig Windows-IP-Konfiguration Ethernet-Adapter LAN-Verbindung: Verbindungsspezifisches DNS-Suffix: galaxy.com IPv4-Adresse . . . . . . . . . . : 192.168.1.127 Subnetzmaske . . . . . . . . . . : 255.255.255.0 Standardgateway . . . . . . . . . : 192.168.1.14 C:\>nslookup sun Server: firewall.galaxy.com Address: 192.168.1.1 *** sun wurde von firewall.galaxy.com nicht gefunden: Non-existent domain. C:\>nslookup sun.galaxy.com Server: firewall.galaxy.com Address: 192.168.1.1 Nicht autorisierende Antwort: Name: sun.galaxy.com Address: 192.168.1.2And if i wouldn't set Services > DNS resolver > Domain Overrides > for "galaxy.com" to use "8.8.8.8" (or any other public DNS server), it wouldn't even resolv the fqdn sun.galaxy.com
It's just a guess, but does pfSense has a problem to lookup/forward a domain onto a remote server if it has been set as local domain?
-
serving up rfc1918 from a public domain is BROKEN configuration plain and simple..
Your clearly going to run into rebinding protection problems doing that. And its just BAD idea all the way around..
https://doc.pfsense.org/index.php/DNS_Rebinding_ProtectionsYou need to serve up your rfc1918 space from local servers..
-
so it would be ok to enter them in the host override config of pfsense and remove them from the public DNS server? would that work?
-
yup that would work for sure..
