Todo #10533
closedChange default domain for new installations from "localdomain" to "home.arpa"
100%
Description
RFC 8375 sets aside "home.arpa" for "non-unique use in residential home networks." and in general seems to be preferable compared to alternatives like ".home" and ".local" which have been taken for use by others.
pfSense currently uses "localdomain" which hasn't been formally reserved for this use that I can see in any current (not expired) RFC or draft. It was mentioned in draft-chapin-rfc2606bis-00 and draft-chapin-additional-reserved-tlds-01 both of which expired several years ago.
The main place this would be changed is in the default config.xml, and one additional reference in index.php. There are some other "localdomain" references in the DNS Resolver and Forwarder but they are general and may not need to be changed. Though we may want to add "home.arpa" to those examples.
There are a few mentions in the docs, but not many.
Updated by → luckman212 over 4 years ago
I'd suggest one of the following instead, since many pfSense installs are not used in home environments.
https://tools.ietf.org/html/rfc6762#appendix-G suggests these are valid alternatives:
.internal .private .lan
These are short, generic enough and make sense for both home and corporate networks.
Updated by Rick Coats about 4 years ago
→ luckman212 wrote:
I'd suggest one of the following instead, since many pfSense installs are not used in home environments.
https://tools.ietf.org/html/rfc6762#appendix-G suggests these are valid alternatives:
[...]
These are short, generic enough and make sense for both home and corporate networks.
If you want to use something like you listed, then Services / DNS Resolver / General Settings / System Domain Local Zone Type should NOT be “Transparent”.
I think from reading the Unbound manual it should be “Static” in that case. Otherwise, you have the issue of DNS leakage in the Global DNS.
With “home.arpa” it is ok to use “Transparent” as default because it is an official special use domain (https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xml) so there are DNS servers to properly respond.
Updated by Rick Coats about 4 years ago
There is also a Draft (2017) https://tools.ietf.org/html/draft-wkumari-dnsop-internal-00 also expired (2018) that proposes making .internal. a special use domain for internal use.
Updated by Jim Pingle about 4 years ago
→ luckman212 wrote:
I'd suggest one of the following instead, since many pfSense installs are not used in home environments.
https://tools.ietf.org/html/rfc6762#appendix-G suggests these are valid alternatives:
[...]
These are short, generic enough and make sense for both home and corporate networks.
I considered those but that RFC also says this (emphasis mine):
[...] We do not recommend use of unregistered top-level
domains at all, but should network operators decide to do this, the
following top-level domains have been used on private internal
networks without the problems caused by trying to reuse ".local." for
this purpose:
Given that RFC 8375 specifically registers home.arpa for this purpose I believe it's still the best fit out of all the current choices.
And while it is true that many pfSense users do not use it in a home environment, they are free to change it to whatever domain they like in the setup wizard. The intent of this change to have a sane and RFC-compliant default (from a valid/non-expired RFC, anyhow...)
Updated by Jim Pingle about 4 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset c948bc45f6f70ff35074129858a2dfa4e3f64a37.
Updated by Max Leighton about 4 years ago
Tested in
2.5.0-DEVELOPMENT (amd64)
built on Fri Dec 11 03:05:22 EST 2020
FreeBSD 12.2-STABLE
The default fqdn is pfSense.home.arpa as expected. The help text in the DNS resolver is now also using home.arpa in the examples.
Updated by Max Leighton almost 4 years ago
- Tracker changed from Todo to Feature
- Status changed from Feedback to Resolved
There have been no other issues observed here, so I will mark it as resolved.