Print Page - Unable to resolve local IP

Title: Unable to resolve local IP
Post by: Tripple_Delta on July 27, 2023, 03:44:35 PM

Hi all,

Setup:
OPNsense 23.1.11-amd64
FreeBSD 13.1-RELEASE-p8
OpenSSL 1.1.1u 30 May 2023

I setup some DNS records on my registrar pointing to local IP's.
After the latest update from OPNsense it looks like I'm unable to resolve local IP's,

Like this:
$ dig A www.google.com
;; ANSWER SECTION:
www.google.com. 98 IN A 142.250.179.164

$ dig A some local domain name
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> A
;; global options: +cmd
;; no servers could be reached

$ ping 127.0.0.53
PING 127.0.0.53 (127.0.0.53) 56(84) bytes of data.
64 bytes from 127.0.0.53: icmp_seq=1 ttl=64 time=0.040 ms
64 bytes from 127.0.0.53: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 127.0.0.53: icmp_seq=3 ttl=64 time=0.057 ms

What am I doing wrong?

Title: Re: Unable to resolve local IP
Post by: CJ on July 27, 2023, 07:44:30 PM

127.0.0.53 is the local DNS cache on your Ubuntu machine. What does your /etc/resolv.conf look like?

Where and how are "some local domain name" configured?

Title: Re: Unable to resolve local IP
Post by: Tripple_Delta on July 27, 2023, 11:36:50 PM

/etc/resolv.conf on the firewall?

The local DNS records are configured with the control panel from my registrar. Like firewall, NAS, etc

Title: Re: Unable to resolve local IP
Post by: Maurice on July 28, 2023, 12:37:02 AM

Does "local IPs" mean private IP addresses (RFC1918 / ULAs)? And you are publishing these in public DNS? That won't work because Unbound removes all private IP addresses from answers it gets from public DNS servers. It's a security feature (rebind protection).

Title: Re: Unable to resolve local IP
Post by: Tripple_Delta on July 28, 2023, 08:00:35 AM

Sorry, indeed private addresses. I've been doing it that way for years. Why is this a security risk?

Always willing to learn, what should be best practice?

Title: Re: Unable to resolve local IP
Post by: Maurice on July 28, 2023, 12:14:11 PM

Rebind protection in Unbound has been there for years, too, although some modifications were made from time to time. Not sure why it worked for you in the past.

Regarding the security risk: https://en.wikipedia.org/wiki/DNS_rebinding
(Not the most detailed and up-to-date explanation, but a good start.)

Best practice is to keep the internal DNS zone (something like intranet.example.com) on an internal DNS server, not a public one.
If you can't or don't want to do that for any reason, you can configure exceptions in Unbound which allow private IP addresses in public DNS records for specific domains.

Title: Re: Unable to resolve local IP
Post by: Tripple_Delta on July 28, 2023, 12:21:46 PM

Thanks.

No idea why it suddenly stopt working. I guess after the latest OPNsense update.

Title: Re: Unable to resolve local IP
Post by: Tripple_Delta on July 28, 2023, 12:36:56 PM

Now this is strange.
Even with unbound turned off I can't reach the DNS server to resolve private addresses.
I have to look somewhere else for the cause.

Title: Re: Unable to resolve local IP
Post by: Tripple_Delta on July 28, 2023, 06:11:21 PM

Turns out this has nothing to do with OPNsense. Sorry.

OPNsense Forum

Archive => 23.1 Legacy Series => Topic started by: Tripple_Delta on July 27, 2023, 03:44:35 PM