Netgate SG-1000 microFirewall

Author Topic: DNS Resolver  (Read 67856 times)

0 Members and 1 Guest are viewing this topic.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 265
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #45 on: November 13, 2014, 11:11:12 am »
Thanks again for being so fast. I'll test it and report back.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 265
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #46 on: November 13, 2014, 05:21:32 pm »
It's working perfectly on the latest snapshot. Thanks again. Although, I was reading unbound docs and noticed this:

"FILE FORMAT
       There  must be whitespace between keywords. Attribute keywords end with a colon ':'. An attribute is followed by its containing attributes, or a value."

Text parsed in the advanced field breaks the line with spaces. Do you think this is important?

Offline Escorpiom

  • Jr. Member
  • **
  • Posts: 89
  • Karma: +8/-1
    • View Profile
Re: DNS Resolver
« Reply #47 on: November 13, 2014, 09:17:21 pm »
Phil and Hugovsky, thanks for following up on this. I know it's community so it's awesome you helped out with this.
Will test it shortly.

Cheers.

Offline athurdent

  • Hero Member
  • *****
  • Posts: 650
  • Karma: +36/-7
  • N00b.
    • View Profile
Re: DNS Resolver
« Reply #48 on: November 14, 2014, 12:09:56 am »
I'm using CARP virtual IPs and run Unbound on "All" interfaces.
If I query the CARP IP from a Linux box, I get this:

Code: [Select]
root@none:~# dig @192.168.xxx.254 www.heise.de
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53
;; reply from unexpected source: 192.168.xxx.5#53, expected 192.168.xxx.254#53

Snapshot is AMD64 from today.

I took another look at this:

IP aliases can be explicitly chosen in the GUI but do not appear in unbound.conf so this does not help with the problem. Seems like a bug and should be fixed I guess.

If you set
Code: [Select]
interface-automatic: yesthen it replies properly when doing a dig@ the alias IP.
This feature is marked experimental though, I don't know the downsides.

Offline p1erre

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: DNS Resolver
« Reply #49 on: November 14, 2014, 12:50:34 am »
Hi

I've another issue, all my DHCP6 static bindings are not included in /var/unbound/host_entries.conf. It shows only the IPv4 entries.

gonzopancho

  • Guest
Re: DNS Resolver
« Reply #50 on: November 14, 2014, 07:27:03 pm »
file a bug.

Offline p1erre

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
    • View Profile
Re: DNS Resolver
« Reply #51 on: November 15, 2014, 07:42:27 am »

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: DNS Resolver
« Reply #52 on: November 17, 2014, 10:01:53 pm »
Most things should be fixed here now. Open DNS Resolver bug tickets can be viewed here:
https://redmine.pfsense.org/projects/pfsense/issues?query_id=42

if you notice anything not on the list, please post here on this board, either in this thread or start your own. If you have a clearly-defined bug report, open a ticket at redmine.pfsense.org. If you're not sure the specific issue, it's best to discuss here first, where someone can help quantify the issue.

Offline athurdent

  • Hero Member
  • *****
  • Posts: 650
  • Karma: +36/-7
  • N00b.
    • View Profile
Re: DNS Resolver
« Reply #53 on: November 18, 2014, 12:38:53 am »
Does not seem to work properly with IP Aliases or CARP interfaces here. IP Aliases don't work at all, CARP virtual IPs create an interface entry with "Array" and unbound fails to start.

To reproduce:
-create an IP Alias
-choose it as the only Network interface in Unbound
Result in /var/unbound/unbound.conf

Code: [Select]
# Interface IP(s) to bind to
Or:
-create a CARP virtual IP
-choose it as the only Network interface in Unbound
Result in /var/unbound/unbound.conf

Code: [Select]
# Interface IP(s) to bind to
interface: 192.168.xxx.6
interface: Array

I'm testing on the latest:
Code: [Select]
2.2-BETA (amd64)
built on Mon Nov 17 19:31:46 CST 2014
FreeBSD 10.1-RELEASE

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +551/-3
    • View Profile
    • International Nepal Fellowship
Re: DNS Resolver
« Reply #54 on: November 18, 2014, 02:02:22 am »
cmb fixed that "Array" thing with very recent commit https://github.com/pfsense/pfsense/commit/845fd268c94e3c4de31700ce29963038e28fa017
But I suspect that now you might just get no binding.
You could install the latest /etc/inc/unbound.inc and then report back what remains wrong.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline athurdent

  • Hero Member
  • *****
  • Posts: 650
  • Karma: +36/-7
  • N00b.
    • View Profile
Re: DNS Resolver
« Reply #55 on: November 18, 2014, 02:21:49 am »
Thanks Phil!
CARP seems to work Ok now, also verified that it can be queried with dig@.
An IP alias still behaves as described above.

Offline dstroot

  • Jr. Member
  • **
  • Posts: 80
  • Karma: +3/-0
    • View Profile
Re: DNS Resolver
« Reply #56 on: November 18, 2014, 12:34:35 pm »
Used to do this with dnsmasq:

Insert the following into the “Advanced” text area field on the DNS Forwarder page in pfSense:  bogus-nxdomain=92.242.140.2

This stopped my ISP from hijacking DNS.

Doesn't seem to work with unbound.  Is there an equivalent command?  If I put it in the unbound advanced box unbound dies.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: DNS Resolver
« Reply #57 on: November 18, 2014, 03:06:04 pm »
I don't see an equivalent to that with Unbound. Though if you have Unbound doing its own recursion (don't enable forwarding mode), you should never see that from your ISP.

Offline dstroot

  • Jr. Member
  • **
  • Posts: 80
  • Karma: +3/-0
    • View Profile
Re: DNS Resolver
« Reply #58 on: November 18, 2014, 03:16:15 pm »
@CMB - thanks for the swift response.  I know you are working at banging out 2.2.

Can you elaborate what "forwarding mode" does for unbound?  I want unbound to *cache DNS queries* and be the DNS server for my LAN.  I was under the impression I needed it on so unbound would be a cache server and "forward" the results of my main DNS servers (for example say 8.8.8.8)

BTW I did turn forwarding off to see what happens and the DNS hijacking stopped.  Thx for that tip!
« Last Edit: November 18, 2014, 03:21:10 pm by dstroot »

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +551/-3
    • View Profile
    • International Nepal Fellowship
Re: DNS Resolver
« Reply #59 on: November 18, 2014, 07:08:57 pm »
Forwarding mode means it will just send queries (for domains not already in the cache) directly upstream to the defined upstream DNS server/s it has been told about.
With recursion, unbound does its queries directly through the chain of internet root servers down to the authoritative server for the requested domain, thus avoiding using some intermediate upstream DNS and its cache, but keeps a cache for itself.
http://en.wikipedia.org/wiki/Domain_Name_System#Recursive_and_caching_name_server
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/