Introduction

I ran into an issue with the Unbound DNS resolver on my pfSense router where FQDNs aliased to private IP address ranges were being cleansed and returned as empty. After some digging into the system logs, it was clear that the Unbound process was sanitizing public DNS entrees pointing to private IP address spaces with the following debug message:

sanitize: "removing public name with private address"

Documentation

According to the Unbound documentation, one may define private-domain options to specify a top-level domain which the resolver will allow private IP addresses to be returned from.

private-domain: <domain name>
              Allow this domain, and all its  subdomains  to  contain  private
              addresses.   Give  multiple times to allow multiple domain names
              to contain private addresses. Default is none.

Solution

Unfortunately, the pfSense web interface does not have a nice front-end for adding these to the configuration. Luckily, under Services/DNS Resolver/General Settings, additional configuration can be added in the Custom options text area.

The following option will allow resolving private addresses for the top level and any domain under example.com:

server:
private-domain: example.com