Bug #6466
closedHost overrides do not appear to work with DNS Resolver in forwarding mode
0%
Description
I have a dedicated pfSense VM setup as a DNS server with packet filtering disabled and only one NIC, and I'm trying to use the newer DNS Resolver.
The attached overrides only seem to work if used with DNS Forwarder. If I use the same overrides with DNS Resolver, they don't appear to be used. I can confirm this easily by performing a google search with these overrides in place and then checking to see if SafeSearch is enabled in Google. This currently only works with the DNS Forwarder service.
I am not sure if my atypical setup (1 NIC, PF disabled) causes Unbound to behave oddly with my specific configuration, or if the issue is bigger.
To recreate: See attached and test with both DNS Resolver (broken) and DNS Forwarder (working)
Files
Updated by Marco Novielli over 8 years ago
I am using 2.3.1-RELEASE-p1 on SG-2440.
Updated by Phillip Davis over 8 years ago
Did you put the host overrides into the DNS Resolver section?
Resolver won't use the Host Overrides from the DNS Forwarder section.
Updated by Chris Buechler over 8 years ago
- Status changed from New to Not a Bug
- Target version deleted (
2.3.1-p2)
What Phil said is exactly what I was writing when he posted it. Forwarder's overrides are for it only, Resolver's for it only. Forwarder won't resolve Resolver's overrides and vice versa, by design.
Updated by Phillip Davis over 8 years ago
I have thought about putting a button to copy all overrides from Forwarder into Resolver (and vice-versa). It is particularly a pest when a system has been using forwarder for years, and you decide to change to resolver, and you just want to copy the overrides (host and/or domain) into resolver.
Updated by Marco Novielli over 8 years ago
Sorry - I should have been more clear: yes I put the overrides under the proper section under DNS Resolver. I have them in both sections so I can quickly toggle back and forth for testing. I would request that this be looked into.
Updated by Marco Novielli over 8 years ago
Shows the configured host override section. I have resolver disabled right now, but it was definitely checked and DNS Forwarder disabled while I was doing my testing.
Updated by Marco Novielli over 8 years ago
Strange - just did a test to override ca.yahoo.com to point to my local server and it is working. Now testing SafeSearch and it is working too. Sigh - dumb user error I guess...
I do notice that applying any changes to DNS resolver config seems to take a long time to apply.
Updated by Stephen Switzer over 8 years ago
- File DNS Resolver.png DNS Resolver.png added
- File Firewall System info.png Firewall System info.png added
I'm having a similar issue. I just upgraded from a 2.2.x revision and have been unable to get the resolver to work. I just went back to forwarder since many services were failing internally - pfsense is my internal DNS server with all hosts resolved by it.
I've attached the configuration screen and system information. I have a 100MiB /var, and I discovered today that it was full... so I bumped it up to 250MiB and rebooted. This didn't help. I added some hosts, changed existing hosts, no change. I looked at the raw configuration file, and I noticed that the host_entries.conf file is void of all the host overrides that I set:
[2.3.1-RELEASE][root@firewall.sbsllc.local]/root: cat /var/unbound/host_entries.conf
local-zone: "sbsllc.local" transparent
local-data-ptr: "127.0.0.1 localhost"
local-data: "localhost A 127.0.0.1"
local-data: "localhost.sbsllc.local A 127.0.0.1"
local-data-ptr: "::1 localhost"
local-data: "localhost AAAA ::1"
local-data: "localhost.sbsllc.local AAAA ::1"
local-data-ptr: "172.18.22.2 firewall.sbsllc.local"
local-data: "firewall.sbsllc.local A 172.18.22.2"
local-data: "firewall A 172.18.22.2"
I've looked at /var/log/nginx-error.log and it is 0 bytes. I'm not sure where else to look, but this was working for a few months (since resolver came out) and failed Wed night after my upgrade to 2.3.1. I have applied the p5 update in hopes that it was noticed and fixed... but not here. Anything else that I can check to see why this isn't working for me?