Netgate Store

Author Topic: Preventing Forwarder/Resolver Loop  (Read 181 times)

0 Members and 1 Guest are viewing this topic.

Offline Elegant

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +2/-0
    • View Profile
Preventing Forwarder/Resolver Loop
« on: February 03, 2018, 01:12:45 pm »
Hi guys,
I current am taking a look at my network and had something stand out to me when using DNS Resolver. My currently layout is relatively simple:

Host -> AD DNS -> pfSense

I would like to have the pfSense (localhost interface) be able to resolve some of my domain queries (example.com) but it comes after AD DNS so it can't query it. I decided to add a Domain Override, but this got me thinking: If I were attempt to resolve something like "Test.example.com" which does not exist, we should enter a loop.

The "Test.example.com" query should go to the AD DNS (Domain Override) and be forwarded back to the DNS Resolver to then meet the Domain Override to go back to the AD DNS and so on. If I am wrong on this, please let me know.

It seems like it would be best to have the DNS Resolver not use the Domain Override when queries are coming from the AD DNS but I'm not sure how to set that up as other hosts require the current Network Interfaces/Outgoing Network Interfaces in the DNS Resolver to work (AD DNS would be sole exception). Has anyone had this issue before? Perhaps I'm missing something or this is bad practice?

Thanks!
« Last Edit: February 03, 2018, 01:17:22 pm by Elegant »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Preventing Forwarder/Resolver Loop
« Reply #1 on: February 04, 2018, 05:42:12 am »
So your domain is example.com, But there is no test.example.com, which your AD is authoritative for..  So why would it ever forward that anywhere?  It would send NX.. When you ask a authoritative ns for a record that does not exist it sends a NX..

So if you looked for test.example.com from pfsense that got sent to your AD dns, it would get told sorry that host does not exist, done - no loop.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline Elegant

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +2/-0
    • View Profile
Re: Preventing Forwarder/Resolver Loop
« Reply #2 on: February 04, 2018, 10:03:56 pm »
Perfect. Thanks!