Hi
So i have a ddns domain, lets call it xxx.us.to. it gers updated fine to my ip with the inbuilt ddns client with the afraid.org site.
The problem is that if i try to access it from my network, it does not resolve. From other networks it works fine. From what i can see in the logs, when i try to ping it, unbound searches it as xxx.us.to.home.arpa. why would it think to add my local, nonexistent domain to it? i never told the system that this is my domain. Also, i have another ddns domain that gets updated via same builtin ddnsclient, xxx.nsupdate.info. this one gets resolved just fine...
Anything i can do?
Thanks
Potentially, you have a local machine that has this name and takes its LAN IP via DHCP. Probably, you have set Unbound to use DHCP leases as names, such that locally, the IP gets resolved to the LAN IP?
Or you have a local override?
The router itself is called 'xxx', but not us.to. And it started doing this only after i changed the lan addresses from 192.x to 10.x. yes, i have it set to register dhcp leases,but it had no problem until now
Edit: disabled leases, still the same
I've seen such unbound requests for local hosts with .home.arpa added in the logs and never really understood what was going on in unbound.
What is set in System -> Settings -> General as the Domain?
Well, now i set it to home.arpa. before, itwas something random,like xxdomain. And unbound added that to my us.to. so, whatever i put there gets added. Lol, just had an idea, ill try to put nothing
Edit: it wont let me, i have to put something lol
The Domain was NOT .home.arpa but unbound added it to the search anyway? Correct?
Quote from: cobrax2 on July 13, 2024, 10:08:37 AM
Edit: disabled leases, still the same
That alone will not help. The DNS entry still exists after that in /var/unbound/dhcpleases.conf, you have to delete the entry manually and restart unbound.
Quote from: chemlud on July 13, 2024, 11:19:55 AM
The Domain was NOT .home.arpa but unbound added it to the search anyway? Correct?
No. Whatever domain i set, gets added by unbound. If i set domain 'xxxxx', it gets added.
Quote from: meyergru on July 13, 2024, 11:33:47 AM
Quote from: cobrax2 on July 13, 2024, 10:08:37 AM
Edit: disabled leases, still the same
That alone will not help. The DNS entry still exists after that in /var/unbound/dhcpleases.conf, you have to delete the entry manually and restart unbound.
I have checked the 'flush dns on restart'. That is not enough either?
Also, i would not disable this dhcp names unless i cant find another solution, as this would make it impossible to find a pc in the lan with only its name, right?
I would not say that - the machines in my network simply do not have names within official domains. Actually, they only have the name without any domain suffix. How I make them available from the outside is a completely different story.
Conceptually, these are different, too: Say, for instance, you have a docker VM in your network. All of its services reside on its DMZ IP, which gets referred to by, say "docker". In order to make the services available, you either use port-forwarding or a reverse proxy, which is externally available via a full domain name like 'www.xyz.com".
The mechanism for DHCP leases just creates a DNS entry for unbound upon lease. It stays around until that lease expires. Alas, even if you edit the lease to be a permanent reservation, the old DNS entry does not get deleted and still points to the initial IP. You can file a bug on github, if you like, but as I understand it, OpnSense move to KEA now from ISC DHCP and AFAIK, that bug exists there too.
I did not have this issue for a year now. I had to change the lan adresses from 192x to 10x and only then thia issue appeared. So it must have a cause related to that, i think. Also, why did unbound chose this ddns domain to be added? I have 2 if them, the other one resolves fine. And us.to is not even the first of the two in the ddns client updater.
Just had an idea. It looks like unbound can't solve ANY us.to domains! For example usac.us.to
What gives?
Blocklists activated in unbound?
Yes, but tried adding exception, also disabling completely, same
Suricata @work?
Hmm, didnt think of suricata. Will check, thanks
...have here frequent suricata DNS blocks for .to domains
Damn it, it was Suricata! ssid 2027757 block dns to .to domains...
It always is what you never think of :(
It probably did this on a recent update, as i had it working last week. And i thought it was the lan change that did this to me.
Thanks everyone for helping!
Quote from: cobrax2 on July 13, 2024, 08:08:00 PM
Damn it, it was Suricata! ssid 2027757 block dns to .to domains...
It always is what you never think of :(
You might want to check other TLD DNS rules in Suricata and disable them as well.