OPNsense Forum

English Forums => General Discussion => Topic started by: myradon on April 18, 2020, 04:24:15 pm

Title: [solved] Unbound returns IPs of all interfaces OPNsense
Post by: myradon on April 18, 2020, 04:24:15 pm

Hi guys,

I moved from pfSense to OPNsense. Was on my list forever and now was the time cause there is a huge bug in pfSense 2.4.5 since several weeks that makes it totally unresponsive. That said;

I have setup Unbound and it works But have a big problem with the returned results for querying OPNsense itself. My system has 4 different subnets. When a client queries FQDN of OPNsense it returns all records of all interfaces. Now first record is other subnet so it doesn't work/ is very slow. When I configure Unbound to only listen on interface the client-computer is one it off course works.

The results;

Code: [Select]

mercury:~ raymond$ sudo killall -HUP mDNSResponder
mercury:~ raymond$ nslookup opnsense
Server: 192.168.130.129
Address: 192.168.130.129#53
Name: opnsense.myradon.net
Address: 192.168.132.1
Name: opnsense.myradon.net
Address: 192.168.130.129
Name: opnsense.myradon.net
Address: 192.168.133.129
Name: opnsense.myradon.net
Address: 192.168.131.129

How can I configure Unbound it returns only the A-record on the interface query is coming from?

Title: Re: Unbound returns IPs of all interfaces OPNsense
Post by: stefanpf on April 18, 2020, 05:45:23 pm

It could Work with a view  that's bound to a subnet via acl.
Here you found an example (the post ist German, but the code should be clear)
https://forum.opnsense.org/index.php?topic=12557.msg57830#msg57830

Title: Re: Unbound returns IPs of all interfaces OPNsense
Post by: myradon on April 18, 2020, 06:49:02 pm

@stefanpf Thanks a lot! It works great  :)

Maybe for someone else comes in handy; Add to field "Custom options";

Code: [Select]

#Access control for remote IP Range
access-control-view: 192.168.130.128/25 bridgelan
access-control-view: 192.168.131.128/29 wirelessguest
access-control-view: 192.168.132.1/24 bridgeiot
access-control-view: 192.168.133.128/29 dmz

#View to return for external range only defined ip for firewall, assumed 192.168.100.254 is the IP of opnsense
view:
    name: "bridgelan"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.130.129"
    local-data: "opnsense A 192.168.130.129"
    #view-first Unbound will try to use the view’s local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "wirelessguest"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.131.129"
    local-data: "opnsense A 192.168.131.129"
    #view-first Unbound will try to use the view’s local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "bridgeiot"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.132.1"
    local-data: "opnsense A 192.168.132.1"
    #view-first Unbound will try to use the view’s local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "dmz"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.133.129"
    local-data: "opnsense A 192.168.133.129"
    #view-first Unbound will try to use the view’s local-zone tree, and if there is no match it will search the global tree.
    view-first: yes