Removing default host entries in Unbound - 2.3



  • If there's another way to go about this, I'm open to other ideas.

    I have set a host override under DNS resolver to direct pfsense's hostname to an IP in a VLAN. When I do an nslookup, I'm getting both the default LAN IP, as well as the override IP. When I edit the file /var/unbound/host_entries.conf and remove the LAN IP entry, save, and restart Unbound, the entry comes back.

    How can I have pfsense's hostname resolve to only 1 IP that is not the default LAN interface IP?


  • LAYER 8 Global Moderator

    where are you doing the queries from?  If your wanting queries from the vlan to show the vlan pfsense IP, and queries done from the lan to show the lan IP then using dnsmasq vs unbound would allow you to use the localise option.

    http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
    y, –localise-queries
        Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was received. If a name in /etc/hosts has more than one address associated with it, and at least one of those addresses is on the same subnet as the interface to which the query was sent, then return only the address(es) on that subnet. This allows for a server to have multiple addresses in /etc/hosts corresponding to each of its interfaces, and hosts will get the correct address based on which network they are attached to. Currently this facility is limited to IPv4.

    Another simple solution is just to use different subdomain..  For example the IP of pfsense in my other vlans are just subdomains of tell me what vlan they are in.. example

    C:>dig @192.168.9.253 -x 192.168.2.253 +short
    pfsense.wlan.local.lan.

    C:>dig @192.168.9.253 -x 192.168.3.253 +short
    pfsense.dmz.local.lan.

    You can debate for sure but very common opinion is that a FQDN should return 1 IP.. and an IP should return same PTR..  Using the same name that resolves to different IPs can lead to confusion..  Its fine if your using the fqdn to serve up some say web page or something from a CDN.. But if the name is an actual HOST, I like that fqdn to return the IP of that host.. If the host has multiple IPs in different networks then the name should reflect that network its in.. Which is why I like the subdomain option..

    pfsense.local.lan is its address in the normal lan segment.  So that is what should be returned.. If I want to have a name associated to its other IPs then those should be either a different name or use a subdomain, etc..

    Just my take on it..



  • Thank you for the feedback.

    I want pfSense to return a single IP when queried by hostname, but I would like to stick with DNS Resolver/Unbound. The subdomain idea is interesting, and I may end up implementing something similar if necessary. However, I would rather just have pfSense return the same single IP independent of which VLAN it is on (I've set the necessary rules for each VLAN to allow DNS).

    As for setting pfSense to respond to a corresponding VLAN IP, it would still be returning the LAN interface IP as a valid DNS server, which is not what I want.

    I don't even have the LAN interface selected under the interfaces to listen on for DNS queries, so I don't think it's Unbound itself, but rather some default setting that sets the LAN IP as a host entry to pfSense's hostname.


  • LAYER 8 Global Moderator

    Yes pfsense wants to use a NAME.. And that name gets put in the host file.. If you don't want to use that name then use something else and put it in the overrides so that when you query pfsense.something it returns the IP you put in the overrides and not what pfsense lan IP that would be pfsense.somethingelse

    I am confused to why the name you give pfsense matters?  For what you put in the overrides for some fqdn..  But yeah if you try and create override with the same name as what pfsense then yeah your going to get both of them..



  • I know the hostname and device/computer name don't have to always be the same, but since the Windows desktops are already configured that way, I'd rather keep it the same for pfsense. I was hoping that there was an option or command that I could use, but maybe that's not the case.


  • LAYER 8 Global Moderator

    For what possible reason??  Use the name the clients are setup for for the IP you want via your host override, change the name of pfsense to something else.. Your saying you don't want pfsense lan IP to resolve when they use that name..  So change it..

    I fail to see what is the issue here??



  • If I understand you correctly, you want me to change the override name so that it's not the same as pfsense's hostname. If that's the case, the reason I don't want to do that is because it wouldn't match how everything else is set up, and having a single device resolve on two different hostnames on the same lan seems kinda weird.


  • LAYER 8 Global Moderator

    Dude how hard is this to understand??

    Your pfsense current called pfsenes.something and its lan IP is 1.2.3.4
    You created an override called pfsense.something that has IP address 5.6.7.8

    Your clients are using pfsense.something that you want only to resolve to 5.6.7.8

    You only want pfsense.something to resolve to 5.6.7.8..  So change pfsense name in general to pfsense.otherthing

    It really is that simple..

    Now all your clients setup to resolve pfsense.something all resolve it to 5.6.7.8 and only 5.6.7.8

    my pfsense is pfsense.local.lan, its lan IP is 192.168.9.253, I created a host override to its wlan interface IP 192.168.2.253.. If I query pfsense.local.lan I now get both..  So I change its name in general.. Now when I query pfsense.local.lan I only get the 192.168.2.253 address..




  • Lol, I get what you're saying, and thank you.

    The point which I may not be getting across clearly is that I don't want pfsense.something and pfsense.otherthing, even if they are both in different subnets/vlans. I only want pfsense.something. I have an idea in mind already on how to work around it while keeping a single hostname, but for now I've just removed the IP from the LAN interface entirely since I'm only using the VLANs.


  • LAYER 8 Global Moderator

    dude you can not have pfsense.something with 2 different addresses and only return 1 address when you have 2 of them…  JFC dude really!!!

    What part do you not get about this???

    Your saying you want the same fqdn 2 have IPs but only return 1 IP...  It doesn't work like that!!!

    I can not paint my car 2 colors red on one side and blue on the other and people tell me the car is only blue.. What I can do if you use dnsmasq is use the localise feature where if the guy is standing on the blue side he will tell you its blue, and if the guy is standing on the red side he will tell you its red..

    But you can not have the name of pfsense something, with an IP address of 1.2.3.4 and use the same exact name with IP address 5.6.7.8 and not both get them returned... What does is freaking matter??  If you don't want to use 1.2.3.4 then don't try and resolve pfsense.newname..

    What freaking point does it make what pfsense name is if nobody is going to resolve it??

    Here is another idea, change your LAN IP to be what you want to resolve, and not freaking create a override...  Your making an issue out of nothing..



  • I find it funny that you've gotten so worked up over this.

    Your saying you want the same fqdn 2 have IPs but only return 1 IP

    If that's what you've understood, perhaps I haven't been clear enough. I want 1 FQDN returning 1 IP. What I currently have is 1 FQDN returning 2 IPs. What you've suggested previously is to have 2 FQDNs returning 1 IP each. It seems fairly clear to me what the intention is, given the original question, "How can I have pfsense's hostname resolve to only 1 IP that is not the default LAN interface IP?"

    Your last suggestion of "change your LAN IP to be what you want to resolve" is exactly the idea I had to resolve this, but it will require extra configuration of VLAN interfaces and switch ports which I am trying to avoid, hence this thread.

    I can not paint my car 2 colors red on one side and blue on the other and people tell me the car is only blue.

    That's an amusing analogy. Perhaps if they were the right kind of color-blind? :)


  • LAYER 8 Global Moderator

    "I want 1 FQDN returning 1 IP. "

    But dude that is NOT what your doing… JFC dude are you really this freaking dense??

    You call pfsense.something and it has its lan IP..  You then create another entry pfsense.something in the overrides and give it another IP..  So now you have same FQDN with 2 IPs..  And your complalinging that is not what you want... But that is exactly what you did..

    The solution that is all of 5 seconds to implement is change pfsense name to pfsense.somethingelse and leave your override pfsense.something with the IP you want..

    What is frustrating is why you can not see this??



  • I>But that is exactly what you did

    It's exactly what I did if you include me trying to remove the host entry manually as mentioned in the first post.

    Since the default behavior of pfsense is to implement that host entry no matter what, I started this thread asking for a way around it, or another option. As for the solution that "takes 5 seconds to implement", it's not the solution that I want given other factors in the environment, and the solution that I've decided to implement will take longer (as mentioned in the previous post).

    Since all of the legit traffic are on VLANs, I've simply set the LAN IP to "none" temporarily until there's time to do things the longer way.



  • I am experiencing this inconvenience too and I must say I agree with Marc05.
    I know changing the pfSense hostname would solve the problem but in my opinion one machine should only have one hostname, to avoid any possible confusion, in case of reverse lookup for example.
    The fact is pfSense adds its hostname to Unbound no matter what. And It doesn't give the choice to which IP it resolves, it's always the one of the second interface (LAN) even though this interface distinction (WAN, LAN, OPT1…) is obsolete.
    https://doc.pfsense.org/index.php/Interface_Settings

    But yeah if you try and create override with the same name as what pfsense then yeah your going to get both of them..

    That's in complete contradiction with the purpose of an override. Overriding is replacing something with something else, not adding alongside it. Proof is you can't create two DNS override with the same hostname, at least using the management interface. But pfSense is creating that situation itself.

    Therefore I think there should be an option to deactivate the automatic adding of pfSense hostname to Unbound or at least an option to choose which IP to resolve to.
    In the meantime, what can we do so the hostname is not automatically added to the DNS resolver or so we can change the interface to resolve to?


  • LAYER 8 Global Moderator

    It is NOT in contradiction of what an override is..  An override is meant to resolve something locally, or OVERRIDE something externally..  In this case you have pfsense IP with pfsense.something which yes default to the LAN ip..  Since many many many deployments only have 1 interface on the lan side…  So yes this is what the default name is..  And this is what is put in the host file - which unbound loads up to serve out because this is where it puts entries for like dhcp clients, etc..

    You can call it whatever you want..  But that first interface is what it default to as a map to the name and its IP..

    But what you can not do is now create another entry with the same exact name pfsense.something and not expect it to return both of those..

    This is really such a nonissue its blowing my mind..  If you don't want name pfsense.something to resolve to the lan IP..  Then change pfsense name to pfsense.somethingelse and put in whatever IP you want for pfsense.something in the overrides.

    Or like everyone else on the planet want to resolve a different IP that is on the firewall or anywhere else use a different name pfsense.otherinterface for example..

    So what your saying is you should be able to pick what interface the name you put in the system resolves too..  I really just don't get the issue..  It uses the first interface..  If you want that first interface/name to resolve to 1.2.3.4 then put 1.2.3.4 on it..  Which is what vast majority of deployments are out of the box..  1 wan inerface, one lan side interface..

    The OP complaint is he created another interface put an IP on it, and wants that to resolve to pfsense.something vs pfsense.somethingelse..  So just change the system name in general to pfsense.otherthing  You do know however you look at this your device is going to have multiple names since it has multiple IPs...  Most people have some fqdn that resolves to the wan side IP..  Shoot I have multiple names that point to my public IP..

    But according to you that is wrong... "in my opinion one machine should only have one hostname"  Oh my gawd I point multiple fqdn to my IP..  so it has multiple names???

    "you can't create two DNS override with the same hostname, at least using the management interface. But pfSense is creating that situation itself"

    You make a good point!!!  The check should prevent the user from creating an overide with the same name that is in system general tab since it checks that you don't put multiple overrides with the same name that point to multiple ips ;)

    Going to put in a bug report right away.. Since if they would of had that check in place, this thread would of never been even started.



  • I want my DNS server to resolve what I tell it to resolve and ONLY what I tell it. And I don't want it to resolve itself to some hard-coded interface unless I tell it to. Is that an unreasonable request?


Log in to reply