Text only | Text with Images

OPNsense Forum

Archive => 21.1 Legacy Series => Topic started by: juere on June 26, 2021, 05:24:40 PM

Title: Strange UnBound DNS problem with web.impfnachweis.info
Post by: juere on June 26, 2021, 05:24:40 PM
I just stumbled across a strange DNS problem probably related to UnBound DNS.

A customer has to resolve web.impfnachweis.info, which is used by physicians in Germany to issue digital Covid19 vaccination certificates.

The address resolves fine using public DNS servers
Code Select

me@laptop02 ~
$ host web.impfnachweis.info 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

web.impfnachweis.info has address 100.102.17.10

(same result for 1.1.1.1 and 9.9.9.9)


For some reasons it does not resolve using UnBound on OPNSense 21.1.6 (tested on three different gateways)

Code Select

me@laptop02 ~
$ host web.impfnachweis.info 10.42.1.1
Using domain server:
Name: 10.42.1.1
Address: 10.42.1.1#53
Aliases:


whereas it does on UnBound still using OPNSense 21.1.2

Code Select

me@laptop02 ~
$ host web.impfnachweis.info 10.70.71.254
Using domain server:
Name: 10.70.71.254
Address: 10.70.71.254#53
Aliases:

web.impfnachweis.info has address 100.102.17.10


So far I have tried to restart UnBound, disabled DNSSEC on the affected gateways and increased the Log Level with no effect and no further insight what is happening.
Upgrading one of the affected gateways to OPNSense 21.1.7_1 did also not solve the problem.

The problem can easily be solved by defining an override for impfnachweis.info pointing to a public DNS server, but I would be very interested in what is happening here.

Has anybody experienced this and can provide an explanation ?
Title: Re: Strange UnBound DNS problem with web.impfnachweis.info
Post by: Pannacotta on June 26, 2021, 06:12:37 PM
Hi

This is most likely caused by the DNS Rebinding Protection of Unbound that prevents DNS lookups that resolve to private IP Space.
While 100.102.17.10 is not "private" in the sense of RFC1918 100.64.0.0/12 is a special address range that is reserved for Carrier-grade NAT. see: https://en.wikipedia.org/wiki/Reserved_IP_addresses and https://datatracker.ietf.org/doc/html/rfc6890#section-2.2.2

If you want to configure unbound to allow it to show "private" IP responses for impfnachweis.info you can do so:
Services > Unbound DNS > General > Custom Options
Then add
Code Select
server:
private-domain: impfnachweis.info

Hope this helps

EDIT: see the relevant code for unbound in opnsense: https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/unbound.inc
Title: Re: Strange UnBound DNS problem with web.impfnachweis.info
Post by: juere on June 26, 2021, 06:31:57 PM
That was quick and it does help  :)
Entering impfnachweis.info as private domain fixes the problem.

Just because I'm curious: Has the behaviour regarding the treatment of carrier grade NAT addresses in Unbound changed recently ?
Text only | Text with Images