Bug #4716
closed"DNS Resolver" lacks SOA for ".local" domain setups
0%
Description
It turns out pfSense does not setup the localdomain set under "General Setup" ==> "domain" as SOA. Instead pfSense currently only sets it up as transparent in "/var/unbound/host_entries.conf":
local-zone: "MyDomain.Local" transparent
local-data-ptr: "127.0.0.1 localhost"
[...]
Due to this fact, in most szenarious localdomain lacks on SOA - which means it is a mostly working - but yet - unfinished setup of a localdomain.
Additionally to this lack, it currently also causes ".local" domains not being resolved by Apple devices - instead they start to look for mDNS via multicast. This is not due to a bad decission of Apple - it rather is the RFC6762 standard (http://en.wikipedia.org/wiki/.local and http://tools.ietf.org/html/rfc6762) which Apple respects and others don't yet. So one can expect more and more devices will follow this standard as well in future. Nevertheless this does not mean ".local" is a bad decission to use as your personal localdomain for your networks. If someone says this - it is simply false information. It will only cause trouble if ".local" is not setup as SOA. So if you want to use the special ".local" domain as your local tld then make sure you set ".local" up as your SOA as well as you have to make sure NOT to use ".local" as your "search-domain" e.g. via DHCP or static IP setups. This article also describes the solution: https://support.apple.com/de-de/HT204684
So for pfSense to close this bug with the RFC6762, "DNS Resolver" needs an option to set the localdomain either as "transparent (default)" or as "static (SOA)". Personally I have "MyDomain.Local" in "General Setup" so it would auto setup something like "pfSense-02.MyDomain.Local". But it did not help to setup "MyDomain.Local" as SOA - instead I needed to setup ONLY the last part: ".local" as SOA for it to completly work. This change in "/var/unbound/host_entries.conf" file solves the current problem of "DNS Resolver":
@#local-zone: "MyDomain.Local" transparent
#local-data-ptr: "127.0.0.1 localhost"
local-zone: "Local." static
local-data: "Local. 10800 IN NS Local."
local-data: "Local. 10800 IN SOA Local. AdminMailUser.MailDomain. 1 3600 1200 604800 10800"
local-data: "Local. 10800 IN A 192.168.10.1"
local-zone: "10.168.192.in-addr.arpa." static
local-data: "10.168.192.in-addr.arpa. 10800 IN NS Local."
local-data: "10.168.192.in-addr.arpa. 10800 IN SOA Local. AdminMailUser.MailDomain. 2 3600 1200 604800 10800"
local-data: "1.10.168.192.in-addr.arpa. 10800 IN PTR Local."
[...] CUT [...]@
From my point of understanding NO authoritative DNS server like bind(8) is required, since unbound(8) does the job perfectly mighty fine with the slight change showed above. For more detailed description, please have a look to the according topic in pfSense forum: https://forum.pfsense.org/index.php?topic=93855.msg522071
My suggested solution would be (estimated max. 3h of work):¶
Add a HTML bullet choise Transparent localdomain (default) or Create SOA of localdomain on "DNS Resolver" main setup site.
If Transparent localdomain (default), then operate as e.g. pfSense 2.2.2-RELEASE currently already does.
If Create SOA of localdomain has been choosen, then it should offer you a little text box below bullet choise, where there is already the default localdomain written in of previously setup "Gerneral Setup". So this way people can reduce the default localdomain "Mydomain.Local" to e.g. only "local" in the text box. The resulting ooutput should be something like demonstrated by my "/var/unbound/host_entries.conf" example above.