Actions
Bug #15925
open
DNS Resolver option for Query Name Minimization cannot be disabled
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
25.03
Release Notes:
Default
Affected Version:
Affected Architecture:
All
Description
In the pfSense DNS Resolver / Advanced Settings there is a setting for Query Name Minimisation which in the pfSense UI defaults to off.
On checking the Unbound release changes documentation the default appears to have changed quite some time ago. This likely impacts both pfSense & pfSense Plus.
- Enabling the Query Name Minimisation setting in pfSense UI results in the addition of
qname-minimisation: yes
to pfSense unbound.conf as expected. - If the Query Name Minimisation is disabled in the pfSense UI (default) then the qname-minimisation config line is removed.
However the Unbound default for the qname-minimisation setting is on (refer https://nlnetlabs.nl/documentation/unbound/unbound.conf/)
qname-minimisation: <yes or no>
Send minimum amount of information to upstream servers to en-
hance privacy. Only send minimum required labels of the QNAME
and set QTYPE to A when possible. Best effort approach; full
QNAME and original QTYPE will be sent when upstream replies with
a RCODE other than NOERROR, except when receiving NXDOMAIN from
a DNSSEC signed zone. Default is yes.
On checking the Unbound release changes documentation the default appears to have changed quite some time ago. This likely impacts both pfSense & pfSense Plus.
Proposed fix: modify the configuration generation logic so that the pfSense UI generatesqname-minimisation: no
for the default setting.
Suggestion: with this change additional logic could also be considered to warn the user that qname-minimisation is not useful when Unbound is configured as a forwarding resolver
(refer https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization)
Updated by
Actions