Print Page - No DHCP registered DNS resolution when using Unbound with BIND DNSBL ad-block

Title: No DHCP registered DNS resolution when using Unbound with BIND DNSBL ad-block
Post by: mogg on January 14, 2020, 06:06:48 PM

Originally posted in old thread https://forum.opnsense.org/index.php?topic=10180.new#new, but maybe that thread is too old.

---

I followed the instructions at https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin, and am successfully blocking ads for my LAN. However, local DNS DHCP registration no longer works for the local network. For example:

~> nslookup brother.localdomain
Server: 192.168.1.1
Address: 192.168.1.1#53

** server can't find brother.localdomain: NXDOMAIN

If I disable the port forward to BIND (Firewall -> NAT -> Port Forward), then local DNS works fine:

~> nslookup brother.localdomain
Server: 192.168.1.1
Address: 192.168.1.1#53

Name: brother.localdomain
Address: 192.168.1.7

How can I configure OPNSense to use both BIND DNSBL and local DNS DHCP registration?

Title: Re: No DHCP DNS registration when using Unbound with BIND DNSBL ad-block
Post by: Northguy on January 14, 2020, 07:39:04 PM

Did you perform the last step from the HOWTO? This is meant to fix your issue:

QuoteFixed Unbound Config
When you think your setup runs stable and you still need your Unbound cause of local overrides you can set BIND as your forwarder in Unbound. Just add this to yout custom options field:

do-not-query-localhost: no
forward-zone:
name: ,,."
forward-addr: 127.0.0.1@53530

Title: Re: No DHCP DNS registration when using Unbound with BIND DNSBL ad-block
Post by: mogg on January 14, 2020, 08:58:47 PM

Yes, I did perform the last step with the bizarre quotes in the name parameter which seems to be a typo, and I tried with changing the quotes to normal quotes:

do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530

Screenshot attached.

It seems that all queries are still forwarded by Unbound to BIND. If I turn off the port forward, then machines in .localdomain resolve properly.

Can you explain to me what each of the options do? I've read the documentation (https://nlnetlabs.nl/documentation/unbound/unbound.conf/), but I'm new to DNS configuration and more elaboration would help me understand.

It seems to be that {name: "."} forwards everything to BIND (running on 127.0.0.1@53530). It seems we need an option to forward everything except for "*.localdomain".

Title: Re: No DHCP registered DNS resolution when using Unbound with BIND DNSBL ad-block
Post by: ArminF on February 11, 2020, 06:52:25 PM

Maybe try to install the Unbound DNSLB plugin.

via console
pkg install os-unbound-plus-devel

Title: Re: No DHCP registered DNS resolution when using Unbound with BIND DNSBL ad-block
Post by: mogg on February 12, 2020, 11:10:28 PM

That worked, thanks ArminF!

As a bonus, BIND DNS is no longer needed.

Title: Re: No DHCP registered DNS resolution when using Unbound with BIND DNSBL ad-block
Post by: mogg on February 13, 2020, 04:02:45 PM

One problem with Unbound DNSBL is that log files aren't exposed in the plugin yet, so if a site is blocked, it's difficult to find out what site was blocked.

OPNsense Forum

English Forums => General Discussion => Topic started by: mogg on January 14, 2020, 06:06:48 PM