DNS Resolver vs. DNS Forwarder question
-
I have a semi-complex DNS setup and I'm trying to add my 3100 (23.09-RELEASE) as a forwarder for internal devices.
I'm running PiHole (#53) and Bind9 (#5353) as it's forwarder. Bind has the master zone for my internal domain and is only accessible from the local PiHole. (There are also a duplicate set as slave and PiHole Sync).
System > General > DNS Server -> 192.168.1.3, 192.168.1.2
I tried setting up DNS Forwarder (which is really all I need) but it doesn't seem to be forwarding the request. I also tried the DNS Resolver to see if I was misunderstanding their differences and it's doing the same thing.
Enable DNS Forwarder
Query DNS Servers sequentially
Port 53, ALL Internfaces
Strict Bindingnetgate pfsense - 192.168.1.1
pihole - 192.168.1.3$ dig +short @192.168.1.1 yahoo.com 74.6.143.25 74.6.143.26 74.6.231.20 74.6.231.21 98.137.11.163 98.137.11.164 $ dig +short @192.168.1.1 gw.basement.lab $ dig +short @192.168.1.3 yahoo.com 74.6.231.21 74.6.231.20 74.6.143.25 74.6.143.26 98.137.11.164 98.137.11.163 $ dig +short @192.168.1.3 gw.basement.lab 192.168.1.1
P.S. I don't think it makes a difference but I do have a firewall wall rule disallowing 53/853 outbound from the network unless the request comes from the PiHole server.
-
@aram535 gw.basement.lab is presumably a private IP? See https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
-
@SteveITS Thank you. Yes it's an internal RFC1918.
I did add the
rebind-domain-ok=/basement.lab/
to the custom configuration and apply the changes however it is still not responding to DNS queries.Is it TLD aware? because it's going out to the root servers.
$ dig +all @192.168.1.1 gw.basement.lab ; <<>> DiG 9.18.19-1+ubuntu20.04.1+isc+1-Ubuntu <<>> +all @192.168.1.1 gw.basement.lab ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23076 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: f60947a4e1374fb701000000661b8ca4d7a146d0b883f233 (good) ;; QUESTION SECTION: ;gw.basement.lab. IN A ;; AUTHORITY SECTION: . 10682 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024041400 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP) ;; WHEN: Sun Apr 14 03:58:28 EDT 2024 ;; MSG SIZE rcvd: 147
I tried turning on and off the forwarding options but that seems to be for reverse and not A lookup.
Query DNS Servers Sequentially
Require Domain
Do not forward private reverse lookups$ dig +all @192.168.1.1 gw.basement.lab A ; <<>> DiG 9.18.19-1+ubuntu20.04.1+isc+1-Ubuntu <<>> +all @192.168.1.1 gw.basement.lab A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51621 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 73c9b90c3a598fa601000000661b8caacbe1565215ddedce (good) ;; QUESTION SECTION: ;gw.basement.lab. IN A ;; AUTHORITY SECTION: . 10676 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024041400 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP) ;; WHEN: Sun Apr 14 03:58:34 EDT 2024 ;; MSG SIZE rcvd: 147
-
@aram535 said in DNS Resolver vs. DNS Forwarder question:
did add the rebind-domain-ok=/basement.lab/ to the custom configuration
I have not used Forwarder as it was replaced by Resolver a long time ago. I know it works in Resolver:
server: private-domain: "basement.lab"
Resolver can be set to forward as well, but if you do that disable the DNSSEC option, since DNSSEC is handled by the forwarder.
-
@SteveITS Thanks for that. I switched over to the Resolver added the private-domain setting but it's still going out to the root servers.
192.168.1.3 is the internal master (pihole)
Listen on port 53
Enable SSL/TLS Service
All interfaces
All Outgoing interfaces
Strict Outgoing Network interface binding
System Domain Local Zone Type: Transparent
DNSSEC
DNS Query Forwarding
Use SSL/TLS for outgoing
Customer Options:server: private-domain: basement.lab
Via dig:
$ dig +noall +auth @192.168.1.1 gw.basement.lab A . 10527 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024041600 1800 900 604800 86400 $ dig +short @192.168.1.3 gw.basement.lab A 192.168.1.1
I'll add this as well, if I use Diagnostics -> DNS Lookup
gw.basement.lab resolves fine, so netgate can reach the DNS server and query it without issue. -
@aram535 said in DNS Resolver vs. DNS Forwarder question:
Customer Options:
server:
private-domain: basement.labShould look like this:
server: private-domain: "basement.lab"
Did you disable DNSSEC?
Otherwise also adddomain-insecure: "basement.lab"
-
@viragomann said in DNS Resolver vs. DNS Forwarder question:
Did you disable DNSSEC?
Yes
from my previous post:
DNSSECquoting the value and adding the private-insecure did not change anything. It still queries the root TLD.
-
@aram535 said in DNS Resolver vs. DNS Forwarder question:
Is it TLD aware
unbound, out of the box, is a resolver.
So, yes, it has these DNS Root name server build into the program. The IP (v4 and v6) of these 13 root servers never change, as they are the foundation of the entire 'Internet DNS' system.
One, two, or more might be down for maintenance, or cable broken, or whatever other peering reasons, as long as one of them works, your DNS works.That said, if you are forwarding, your not using these root servers, neither TLDs (who give info about dot com dot orh dot net dot etc), but some other remote DNS resolver(s) you've specified here :
( I've none, as none are needed to make DNS work - you know why now )
Most common are 8.8.8.8, 1.1.1.1 9.9.9.9 etc.
I'm curious : how do you know that unbound, while in Forwarding mode, is still using the root servers ?
-
I'm running PiHole (#53) and Bind9 (#5353) as it's forwarder. <<
So DNS request flow is:
Client --> unbound --> PiHole --> BindWhy the extra step of using unbound on pfSense? Why not hand out PiHole address to DHCP clients directly?
Also isn't the unbound cache going to affect the PiHole requests reporting?
-
@ahking19 There are 7 VLANS that I'd like to be use pihole, but I don't want to expose the pihole directly on every VLAN. Using the netgate as the the DHCP and DNS would just be easier. I don't care about the reporting of pihole.