[SOLVED] DNS Resolver cannot resolve itself

[Sundial]

I just installed 16.7.r1 from scratch and I am using the DNS Resolver to be the primary DNS for my entire network.  I don't have any other DNS issues but I did notice that OPNSense cannot resolve itself.  In System:Settings:General, I have OPNSense as hostname and mydomain.com as the domain.  When I ask the DNS Resolver to resolve OPNSense.mydomain.com, it cannot.  Most of the installations I manage are a mixture of other products but they all seem to be able to resolve themselves by default.  Adding the firewall as an Override works, but it seems like it should add itself by default.

[Julien]

is your Firewall Virtual or Hardware ? is your hardware facing the internet directly ?
can you ping your firewall name from a connect machine ?

[Sundial]

I'm testing OPNSense on a real production system (a small satellite office)...so real hardware in a simple 1 WAN, 1 LAN setup.  Everything works as expected except the problem I mentioned.  Clients machine can ping firewall via IP address.  Clients can resolve each other but no client can resolve the firewall's DNS name.  If I manually add the firewall as an Overrride, then all is well.  Can you resolve your firewall's name without an override?

[Julien]

yes i can resolve my firewall even ping it with name and ip.
i am behind a active directory and have already created A record for the firewall.

[Tikimotel]

That is because the "/var/unbound/host_entries.conf" does not contain the hostname and ip information.
With a single Network Interface selected in the DNS resolve: General menu --> Network Interfaces. You can fix this by editing the "/usr/local/etc/inc/unbound.inc" file.
Edit lines 515 & 516 from this:

Code: [Select]

    if (isset($config['unbound']['interface'])) {
        $interfaces = explode(",", $config['unbound']['interface']);
into this

Code: [Select]

    if (isset($config['unbound']['active_interface'])) {
        $interfaces = explode(",", $config['unbound']['active_interface']);

After saving the DNS Resolver page a new "/var/unbound/host_entries.conf" will be generated and you can resolve the router itself by hostname.
However this is not "the" fix because when multiple "DNS resolve: General menu --> Network Interfaces" are chosen, this fix does not work. (example LAN and LAN IPv6 Link-local and Localhost, you'll get conflicts in the host_entries.conf)

[Sundial]

Thanks for the info.  I'm more used to other firewall packages like Sophos UTM and pfSense (...this is my first experience with OPNSense).  I've never investigated what they do and how they do it, but they seem to resolve themselves by default.  I don't know how they handle multiple interfaces either.  All of the setups I manage have a simple 1 LAN interface and DNS resolver is only on that 1 interface.

[franco]

Now I'm curious. Can you share a screenshot of your general resolver settings page? Particularly your setup regarding Interfaces and Outbound Interfaces.

[Sundial]

Sure...

Also, just to clarify when I said they have just "1 LAN interface"...I meant they only have 1 LAN (not multiple LANS or any VLANS).  They all clearly have 1 WAN interface too.

[Tikimotel]

With the quickfix, like above and only "LAN" selected

Code: [Select]

local-zone: "home" transparent
local-data-ptr: "127.0.0.1 localhost"
local-data: "localhost A 127.0.0.1"
local-data: "localhost.home A 127.0.0.1"
local-data-ptr: "::1 localhost"
local-data: "localhost AAAA ::1"
local-data: "localhost.home AAAA ::1"
local-data-ptr: "192.168.0.1 OPNsense.home"
local-data: "OPNsense.home A 192.168.0.1"
local-data: "OPNsense A 192.168.0.1"

Now with "LAN; LAN IPv6 Link-local; Localhost"

Code: [Select]

local-zone: "home" transparent
local-data-ptr: "127.0.0.1 localhost"
local-data: "localhost A 127.0.0.1"
local-data: "localhost.home A 127.0.0.1"
local-data-ptr: "::1 localhost"
local-data: "localhost AAAA ::1"
local-data: "localhost.home AAAA ::1"
local-data-ptr: "192.168.0.1 OPNsense.home"
local-data: "OPNsense.home A 192.168.0.1"
local-data: "OPNsense A 192.168.0.1"
local-data: "OPNsense.home AAAA fe80::6a05:caff:fe0f:c59"
local-data: "OPNsense AAAA fe80::6a05:caff:fe0f:c59"
local-data-ptr: "127.0.0.1 OPNsense.home"
local-data: "OPNsense.home A 127.0.0.1" (<--- this is double entry and causes issues)
local-data: "OPNsense A 127.0.0.1" (<--- this is double entry and causes issues)
local-data-ptr: "::1 OPNsense.home"
local-data: "OPNsense.home AAAA 127.0.0.1" (<--- this is double entry and causes issues)
local-data: "OPNsense AAAA 127.0.0.1" (<--- this is double entry and causes issues)
(unbound can not be started!!)

Perhaps a check for the "localhost" selection, or maybe delete "localhost"from the options.

[franco]

What we found was that setting interface or outgoing interfaces can severely hinder operation of unbound due to e.g. Rebind Protection kicking in and non-static interfaces can cause unbound to exit/not respond at all.

I strongly suggest to revert to standards of "all" (or "any", don't know which as I have a different language setting at the moment) and try again.

[Tikimotel]

With "All" selected, opnsense.home is not added to the host_entries.conf file.
So trying to resolve the hostname results in:

Code: [Select]

C:\>nslookup opnsense.home
Server:  UnKnown
Address:  192.168.0.1

*** UnKnown can't find opnsense.home: Non-existent domain

With "LAN and LAN ipv6 link-local" selected, hostname does resolve correctly.

Code: [Select]

C:\>nslookup opnsense.home
Server:  OPNsense.home
Address:  192.168.0.1

Name:    opnsense.home
Addresses:  fe80::6a05:caff:fe0f:c59
          192.168.0.1

C:\>

That is all performed with my quick and dirty fix (interface --> active_interface), but when you also select localhost in the unbound general options page, you'll get double references to localhost and unbound will refuse to start.

So I undid the fix (active_interface --> interface) and tried with interfaces set to "All" and again with "LAN" only.
Both times the generated "host_entries.conf" file won't contain the localhost names to resolve to for the router.

Code: [Select]

C:\>nslookup opnsense.home
Server:  UnKnown
Address:  192.168.0.1

*** UnKnown can't find opnsense.home: Non-existent domain

So I redid my fix (line 519 and 520).
The localhost reference is already statically generated by the lines 504~512 btw.
The choice for "localhost" should be removed in the GUI pull-down menu so a user can not create double entries and have unbound fail to start.

[franco]

I'm starting to look into this (sorry for the delay). Cannot consider this stable at that point, the code needs more love (it always did).

https://github.com/opnsense/core/commit/49e364be6
https://github.com/opnsense/core/commit/0dca6edd3

So I've made link-local automatic and removed the selection there, not sure if needed? Locahost is gone from the selection and "all" now properly iterates.

Feedback please.


Cheers,
Franco

[Tikimotel]

Seems OK, without the "systems.inc" changes.

However when I tried to fetch a raw "systems.inc", it borked out an error at line 1998, "services_dhcpd_configure();" could not be found, but that is called at line 201? Maybe due to other commits?

[franco]

Oh, yes, this one: https://github.com/opnsense/core/commit/835ad1b7

There's opnsense-patch for that now, make sure you are on a good revision:

# pkg install -f opnsense
# opnsense-patch 835ad1b7 49e364be6 0dca6edd3


Cheers,
Franco

[Tikimotel]

This worked