Netgate SG-1000 microFirewall

Author Topic: don't forward without domain  (Read 134 times)

0 Members and 1 Guest are viewing this topic.

Offline AndrewZ

  • Full Member
  • ***
  • Posts: 271
  • Karma: +20/-0
    • View Profile
don't forward without domain
« on: January 28, 2018, 03:45:02 pm »
I'm wondering if it is possible [with unbound] to stop forwarding requests without domain.
Here is the example - local PC is sending query and receiving an undesired response:

Code: [Select]
192.168.1.2 192.168.1.1 DNS 62 Standard query 0x0003 A gw
192.168.1.1 192.168.1.2 DNS 118 Standard query response 0x0003 A gw SOA gw01.dns.pt

Now with another name
Code: [Select]
192.168.1.2 192.168.1.1 DNS 64 Standard query 0x0004 A brix
192.168.1.1 192.168.1.2 DNS 139 Standard query response 0x0004 No such name A brix SOA a.root-servers.net
192.168.1.2 192.168.1.1 DNS 68 Standard query 0x0005 A brix.lan
192.168.1.1 192.168.1.2 DNS 84 Standard query response 0x0005 A brix.lan A 192.168.1.6
After "No such name" client PC is adding default domain "lan", sending another query and receiving a proper response.

Another question - is it possible to force Unbound to add default domain to all the queries it receives without domain?
« Last Edit: January 28, 2018, 03:51:45 pm by AndrewZ »

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1179
  • Karma: +51/-11
    • View Profile
Re: don't forward without domain
« Reply #1 on: January 28, 2018, 04:05:25 pm »
The only way to do that would be to have something that does a DNS lookup on everything heading out.  As for your second question, I'm not sure what you're looking for?  A fully qualified domain name has 2 parts, a host name and a domain name.  Do you want to make those up for addresses that don't resolve?

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15127
  • Karma: +1412/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: don't forward without domain
« Reply #2 on: January 28, 2018, 04:15:10 pm »
Why would you client ask for brix unless the user put in just brix.... Have this user use brix.lan from the git go ;)  Use of single label normally not a good idea.. your local domain should be say something.tld

dnsmasq has an option domain-needed I am not aware of sim option in unbound..

You could use the forwarder which is dnsmasq and set this option..   You could use dnsmasq before pfsense to filter on this, say pihole or something.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline AndrewZ

  • Full Member
  • ***
  • Posts: 271
  • Karma: +20/-0
    • View Profile
Re: don't forward without domain
« Reply #3 on: January 28, 2018, 04:18:39 pm »
Regarding my #2 - I was thinking about adding "search domain" similar to what we have on the clients, i.e. when Unbound receiving non-FQDN query (no dots) it should first add the default domain, when try to resolve locally.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15127
  • Karma: +1412/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: don't forward without domain
« Reply #4 on: January 28, 2018, 04:24:24 pm »
a non domain query is not valid its not going to resolve locally.. Seach suffix is only going to be added on second query, if your client only asks host - that is what will be queried for.. tell you clients not to query just host and always use host.domain and you problem goes away ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline AndrewZ

  • Full Member
  • ***
  • Posts: 271
  • Karma: +20/-0
    • View Profile
Re: don't forward without domain
« Reply #5 on: January 28, 2018, 04:27:01 pm »
dnsmasq has an option domain-needed

Exactly. This is what I had in my mind, I was using it on my openwrt travel box in the past.

Definitely it will be not a big deal to always use host.domain, today it just popped up during some troubleshooting where it was just quicker to type ping gw

Thanks for all the suggestions!