pfSense

For 2.0-RC3 (i386) snapshot of Fri Jul 15 19:39:23 EDT 2011

The dynamic entries being written to /etc/hosts on a pfsense box always have the domainname of the pfsense box itself. The DHCP configuration's "domain name" setting (the domain that dhcpd is telling the clients that they are in) is being disregarded.

The reason why this is high priority is because the only possible workaround to this problem is to give the pfsense box the same domain name as the dhcp clients. But doing such a thing can cause (in my case /will/ cause) the pfsense box to DOS itself.

In my case the domain that the clients are in has (e.g.) a directory server to which they connect and in which they are registered. The pfsense gui has no facility for configuring dnsmasq's srv-host= option. The gui also does not allow leading underscores, so _ldap. etc can't be set up individually either. With these two avenues blocked, the only route left open for configuration via the pfsense gui is to setup the other host as authoritative for all records of the domain.

So then: When an lookup comes in, and dnsmasq doesn't find it in hosts (or whatever), it passes the request the other host. Since that host will not find it, it comes back to the to the pfsense box as another lookup, and back it goes, and so on in an endless loop. The pfsense box will eventually run out of file descriptors.

In the long term pfsense should make dnsmasq's srv-host= configurable. In the medium term it should also stop second guessing user intentions (e.g. about what hostnames have to look like). But please fix the incorrect writes to /etc/hosts before 2.0 goes final.