Netgate Store

Author Topic: Wildcard DNS entries  (Read 16199 times)

0 Members and 1 Guest are viewing this topic.

Offline tommyboy180

  • Hero Member
  • *****
  • Posts: 978
  • Karma: +6/-0
    • View Profile
Wildcard DNS entries
« on: December 09, 2011, 09:47:56 am »
If you need a wildcard in your DNS forwarder (*

   1. Log in to pfSense 2.0 instance via the web interface.
   2. Go to Services-> DNS Forwarder (http://pfSensense_url/services_dnsmasq.php)
   3. Click the Advanced button Add as many of the following as you need, each entry on a new line.


Where dev is the end of the wildcard entry, and is the ip that these wildcard names will resolve to. Think of dev as *.dev, but only list the part after the dot. So,, and anything else that ends in .dev and is not defined elsewhere, will resolve to the ip provided.

So if you need *.com then the corresponding line will look like


Thank you Scott
« Last Edit: February 13, 2015, 01:19:08 pm by dvserg »
-Tom Schaefer
SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

Please support pfBlocker | File Browser | Strikeback

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Wildcard DNS entries
« Reply #1 on: February 13, 2015, 01:39:49 pm »
Howto for DNS Resolver (Unbound):

1. Go to Services -> DNS Resolver
2. Add the desired wildcard entries to the Advanced box:

Code: [Select]
local-zone: "" redirect
local-data: " 3600 IN A"

Documentation: unbound.conf(5)

Code: [Select]
                 The query is answered from the local data for the zone  name.
                 There  may  be  no  local  data  beneath the zone name.  This
                 answers queries for the zone, and all subdomains of the  zone
                 with the local data for the zone.  It can be used to redirect
                 a domain to return a different  address  record  to  the  end
                 user,    with   local-zone:   ""   redirect   and
                 local-data: " A" queries for  www.exam-
        and are redirected, so that users
                 with web browsers  cannot  access  sites  with  suffix  exam-
Do NOT PM for help!

Offline Yowsers

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +6/-0
    • View Profile
Re: Wildcard DNS entries
« Reply #2 on: May 08, 2015, 07:23:40 am »

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: Wildcard DNS entries
« Reply #3 on: May 08, 2015, 07:42:06 am »
I cant get it to work
Kind regards Brian

Offline fossum_13

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Wildcard DNS entries
« Reply #4 on: October 14, 2015, 05:05:29 pm »
Seems that if you try the above for pfSense 2.2.4 with an unbound resolver, you will get a duplicate zone error...

Code: [Select]
unbound: [42597:0] warning: duplicate local-zone
unbound: [42597:0] error: could not enter zone transparent
unbound: [42597:0] fatal error: Could not set up local zones

if I just use the last line (suggested by the wiki), it starts successfully. From an external IP dig doesn't seem to like it and the wildcard still doesn't work...

Code: [Select]
[user@localhost /]$ dig

; <<>> DiG 9.10.2-P4-RedHat-9.10.2-5.P4.fc22 <<>>
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24562
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 157 msec
;; WHEN: Wed Oct 14 15:01:32 PDT 2015
;; MSG SIZE  rcvd: 12

[user@localhost /]$

FYI - I have opened TCP/UDP 53 in the firewall

Offline Criggie

  • Jr. Member
  • **
  • Posts: 79
  • Karma: +10/-0
    • View Profile
Re: Wildcard DNS entries
« Reply #5 on: January 26, 2016, 10:33:37 pm »
This is in the wiki as well.

Yes - and that page also misses a big gotcha.

As someone coming from dnsmasq / "forwarder"  I had multiple host overrides too.

Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match.  So you need to delete all the host overrides that use the same subdomain. 

If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.