I am in the process of setting up pfSense as a firewall/router. I want it to run DNS Resolver so I can use pfblockerng.
I have configured 2 public DNS servers using the default gateway to get out. DNS Resolver is configured in forwarding mode.
Eventually, I'll setup outgoing VPN and all other traffic going to the DSL router will be blocked. VPN down? No internet, no DNS, nothing.
In my queries (tcpdump on my internet router) I see my internal domain name being appended to queries, even valid ones that resolve fine.
Example, from pfsense DNS check (diagnostics menu) I type google.com and I see this:
12:40:48.255156 IP (tos 0x0, ttl 64, id 30637, offset 0, flags [none], proto UDP (17), length 45)
192.168.1.1.49038 > 84.200.69.80.53: [udp sum ok] 60481+ NS? . (17)
12:40:48.284198 IP (tos 0x0, ttl 64, id 8247, offset 0, flags [none], proto UDP (17), length 45)
192.168.1.1.4642 > 84.200.70.40.53: [udp sum ok] 52602+ NS? . (17)
12:40:48.313250 IP (tos 0x0, ttl 64, id 15226, offset 0, flags [none], proto UDP (17), length 67)
192.168.1.1.17078 > 84.200.69.80.53: [udp sum ok] 51473+ [1au] A? google.com. ar: . OPT UDPsize=4096 OK (39)
12:40:48.341439 IP (tos 0x0, ttl 64, id 24297, offset 0, flags [none], proto UDP (17), length 67)
192.168.1.1.60070 > 84.200.69.80.53: [udp sum ok] 41295+ [1au] AAAA? google.com. ar: . OPT UDPsize=4096 OK (39)
12:40:48.368481 IP (tos 0x0, ttl 64, id 17792, offset 0, flags [none], proto UDP (17), length 67)
192.168.1.1.7038 > 84.200.70.40.53: [udp sum ok] 38162+ [1au] CNAME? google.com. ar: . OPT UDPsize=4096 OK (39)
12:40:48.404360 IP (tos 0x0, ttl 64, id 37382, offset 0, flags [none], proto UDP (17), length 81)
192.168.1.1.13371 > 84.200.69.80.53: [udp sum ok] 3273+ CNAME? google.com.internal.mydomain.com. (53)
The "mydomain.com" is a registered domain under my control, publicly available. I registered and use internal.mydomain.com exclusively on my LAN.
Eventually, pfsense needs to do DHCP too, and I want it to resolve local LAN hosts in the *.internal.mydomain.com.
Basically, I never, ever want "internal.mydomain.com" to be appended to public queries. In fact, it should never be appended to any query, ever. Can I disable this "feature"? Who wants to append local domain suffixes to DNS queries ending with a valid TLD anyway? Append it to a query "johns-pc" or "hplaserjetii", but not to "google.com".
Second basically, pfsense/unbound should keep queries for .internal.mydomain.com" to itself, never send it out, since these are only local hosts on the LAN it is providing DHCP for. Other queries for *.mydomain.com should go out though, just exclude "internal.mydomain.com".
Who can help me set this up properly?
Many thanks in advance!
