Hi all,
while discussing general BIND setup in this thread:
https://forum.opnsense.org/index.php?topic=21527.0
@thefrisianclause referred to the BIND plugin documentation which contains this part:
QuoteWhen you are using Overrides in Unbound you can not use do-not-query-localhost. Please remove the line and let Bind listen to your LAN IP with port 53530 instead of localhost. After this you can set the LAN IP in forward-addr.
See screenshot for the complete context.
My question: I was not aware of that restriction and I use "do-not-query-localhost: no" and a lot of overrides without noticeable problems. Am I missing something or is the documentation not accurate?
BTW: I am not using the deprecated "Custom Options" in Unbound but a separate config file as recommended.
Thanks
Patrick
Quote from: pmhausen on February 16, 2021, 12:48:26 PM
BTW: I am not using the deprecated "Custom Options" in Unbound but a separate config file as recommended.
Thanks
Patrick
Hi, could you explain how you do that? Which config file?
Thanks.
https://forum.opnsense.org/index.php?topic=21527.msg101196#msg101196
I have a few Unbound options which I load through "custom options" (I don't use BIND):
server:
tls-cert-bundle: /etc/ssl/cert.pem
harden-glue: yes
use-caps-for-id: yes
so-rcvbuf: 1m
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 1.1.1.2@853#cloudflare-dns.com
Since last year they are saying that at some point they will remove that section, and are you saying that I can create a custom config file to do same?
Thanks.
sorry for OT, but harden glue no necessary
https://redmine.pfsense.org/issues/4402
Quote from: hushcoden on February 19, 2021, 07:31:51 PM
Since last year they are saying that at some point they will remove that section, and are you saying a I can create a custom config file to do same?
Yes of course. Put a file named "X-whatever-suits-your-fancy.conf" into
/var/unbound/etc as I repeatedly wrote or linked to and that's that.
It's the official documented way now:
https://docs.opnsense.org/manual/unbound.html#advanced-configurations
Now could anyone try to answer my question? What about overrides and do-not-query-localhost?
If there are really technical reasons not to use them in combination, I have to reconsider my entire setup. Reason why I want BIND on 127.0.0.1: whenever a physical interface goes down, e.g. because I update my switch or my ISP router and reboot them, BIND stops listening on that interface. So I lose DNS until I manually restart BIND ...
The note was added by @mimugmail and @franco in this commit:
https://github.com/opnsense/docs/commit/39858a27b0ee97ef0d477d4df35b642c29e5c3d9#diff-5d4817cb52f5d4f439d854fc1286ca198cb6018c4c822380e5503250f420644e
What's the reasoning behind this? Please?
Looking at that commit and going down the rabbit hole, you'll find that it was the result of this bug report:
https://github.com/opnsense/docs/issues/137
Which was the result of this forum thread:
https://forum.opnsense.org/index.php?topic=10180
From what I can see, what was actually wrong with their custom options (and the documentation) is the missing 'server:' line. Which puts 'do-not-query-localhost' outside of the server clause and causes a syntax error. Not having overrides probably did put it inside the server clause by pure chance.
It seems they didn't figure this out. So instead of just adding the 'server:' line to the custom options example in the documentation, this paragraph was added. Which is most likely BS.
Plausible?
Maurice
Thanks, Maurice! Perfectly reasonable. I could not find anything about this in the Unbound documentation, so I was sceptical from the start. Thanks for reminding me that there are possibly bug tickets linked to commits.