Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: 5SpeedFun on March 13, 2021, 03:11:36 PM

Title: Unbound returning multiple ips for opnsense firewall name
Post by: 5SpeedFun on March 13, 2021, 03:11:36 PM
Hello,

It seems unbound returns multiple ips when i query A or AAAA record for "<firewallname>".

Is there a way to prevent this & just return the loopback interface?

The problem this causes is when I go to manage the firewall and it returns (lan) interface which doesn't have say https or ssh bound to it.  In that case my https request/ssh request then fails.  I'd rather just bind the DNS resolution to the loopback interface so it always work.

Currently my work-around is to define a separate dns name for the lo interface, but this causes certificate issues for my browser.

Anyone know the "proper" way to get this working?
Title: Re: Unbound returning multiple ips for opnsense firewall name
Post by: Fright on March 13, 2021, 06:04:43 PM
Hi
what do you mean by "return the loopback interface"?
Title: Re: Unbound returning multiple ips for opnsense firewall name
Post by: Maurice on March 13, 2021, 06:13:56 PM
When queried for the firewall's hostname, unbound returns the IP addresses of all interfaces it is listening on (default: all). So if you want it to return the addresses of a single interface only, select only that interface in the unbound settings.

Cheers

Maurice
Title: Re: Unbound returning multiple ips for opnsense firewall name
Post by: Fright on March 13, 2021, 06:31:25 PM
small addition: later you will probably have to add subnets to the access list
but I still do not really understand the "return the loopback interface ;)"
Title: Re: Unbound returning multiple ips for opnsense firewall name
Post by: 5SpeedFun on March 13, 2021, 08:41:05 PM
What I meant is for my firewall, I want unbound ONLY to return the address of the loopback interface.

Right now my client has 192.168.75.0/24.  The lan interface of my firewall is 192.168.75.253/24

My Lo1 is 192.168.255.253.

If I set unbound to listen on 192.168.255.253 it doesn't resolve anything, not even overrrides I have set, let alone recursive queries.  I can ping 192.168.255.253 from a 192.168.75.x address, and I can telet to the tcp port (yes i know dns uses udp as well, but at least it's also listening on 53/tcp).

If I make it listen on LAN + Lo0, I can use nslookup and query either 192.168.255.253 or 192.168.75.253 and unbound responds on both for both overrides & recursive queries.

Anyone have any ideas?

Title: Re: Unbound returning multiple ips for opnsense firewall name
Post by: Maurice on March 13, 2021, 08:49:19 PM
As @Fright mentioned, you'll have to add manual entries to unbound's access lists. If you want to allow queries from any host, simply add ::/0 and 0.0.0.0/0.
Title: Re: Unbound returning multiple ips for opnsense firewall name
Post by: 5SpeedFun on March 13, 2021, 11:55:03 PM
Quote from: Maurice on March 13, 2021, 08:49:19 PM
As @Fright mentioned, you'll have to add manual entries to unbound's access lists. If you want to allow queries from any host, simply add ::/0 and 0.0.0.0/0.

I got it.  I didn't know there were acl's by default & they defaulted to just the interface it was enabled on.

This is working perfectly now, thank you!
Text only | Text with Images