Hi,
So Unbound wildcard host DNS override is really annoying me right now.
My use case is simple: *.mydomain.com -> reverse proxy, it works great, I can access my applications cleanly via the reverse proxy (e.g. application.mydomain.com -> reverse proxies me to 192.168.10.6:8472).
BUT, because I have a *.mydomain.com override in Unbound, now I am unable to do anything else with that domain except get routed to the reverse proxy.
I want to access just mydomain.com (no subdomain)? Nope, I get the reverse proxy.
I want to access something.mydomain.com, which would be something hosted on the public internet? No way to override, I must go through the reverse proxy.
I want to create an override server7.lan.internal.mydomain.com? Nope, it just matches the *.mydomain.com override and I get the reverse proxy.
I will say that this is my first time setting up anything like this and first time using any DNS service, but this seems like bad design to me.
Is this sort of behavior really intended?
I would expect:
- *.mydomain.com override, which clearly seems like a subdomain override, does not trigger if I am accessing mydomain.com
- *.mydomain.com override does not infinitely match all possible subdomains *.*.*.*...mydomain.com, only the first one
- An explicit override like service.mydomain.com should take precedence over *.mydomain.com, or there should be some way to order the overrides
- (Bonus) it would be very nice if it were possible to make some domain skip overriding (so e.g. blog.mydomain.com which would be hosted somewhere on the public internet could just be resolved normally by DNS)
Would I be correct in hoping that there could be something to be improved here, and I should/could make a feature request/bug report/whatever somewhere (where?).
Or is this just how DNS services are supposed to work?
If this is how DNS services are supposed to work, I really wonder how people are able to use their domain, utilize a reverse proxy, and have subdomains.
There must be something I'm missing and I would love to learn what a proper setup looks like.
To further emphasize my problem, I would divide these problems into two:
- (anything.)mydomain.com will be routed to my reverse proxy even if I wouldn't want it to, nothing I can do about it
- Any possible sub-sub(-sub-sub..)-domain will be routed to my reverse proxy, even if I would just want the first subdomain to be overridden, not further ones
For problem 1.. I can use a hacky workaround: Resolve the same domain again within the reverse proxy and use a public DNS server to resolve it.
But about problem 2, I don't think I can do anything about it. I'm just screwed. Pick one: ability to use a reverse proxy or ability to use sub-domains.
Good example for problem 2 is that I followed the tutorial from the documentation (https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration) on how to connect Unbound and dnsmasq. Great, I am now able to reach my DHCP devices via dns via devicename.device.mydomain.com. But oops, now I want to use my reverse proxy so I have create the override *.mydomain.com -> reverse proxy and now all of this is broken.
Just dont use the wildcard. Im sure you dont have 100k subdomains on your reverse proxy.
Simplest solution for this.
Quote from: Monviech (Cedrik) on October 08, 2025, 12:35:45 PMJust dont use the wildcard. Im sure you dont have 100k subdomains on your reverse proxy.
Simplest solution for this.
I guess you are right, but is this really what people do?
Manually updating rules always when adding reverse proxy entries?
Surely there is a better way? I am just not aware of any alternatives, and not knowledgeable enough to think of ways this could be achieved.
Also really goes against my goals of my homelab being IaC driven as much as possible.
Quite annoying how I can have a very nice setup of applications being spun up via pipelines from containers and reverse proxy entries being dynamically created etc, but then I have to open up the OPNsense dashboard to type in some manual overrides.
If this is really how it must be done, I guess I should look into automating the creation of Unbound overrides via the API or whatever.
Hopefully that is possible.
You can automate it via API so whenever you add or remove something in your reverse proxy it POSTs it to the exposed OPNsense Unbound API followed by a reload of the service.
Just gotta be a little creative hehe :)
Quote from: Monviech (Cedrik) on October 08, 2025, 12:48:12 PMYou can automate it via API so whenever you add or remove something in your reverse proxy it POSTs it to the exposed OPNsense Unbound API followed by a reload of the service.
Just gotta be a little creative hehe :)
Yeah, seems it's actually very simple via the API.
I guess I will do this, assuming no one makes me aware of some alternative way people use.
I'm just really having a hard time believing I'm not missing something, surely there must be a better way.
Also, about my question on "are dns services really supposed to work like this", would be nice if there was someone who knew an answer.
Because to me it just really seems like those shortcomings I listed should not be expected behavior.
I would love to post a feature request somewhere (maybe on the Unbound Github? Or is this more of an OPNsense thing? I have no idea how these things work)
You can check how the Unbound configuration file looks like after generation, and compare it with the Unbound man page specifications if there is a solution for your problem.
If its a configuration thing, you can always come to opnsense github to propose it.
If its not yet implemented, unbound github would be the best choice.
Ok, I did some reading, and I learned that creating a *.domain.com override actually creates a "local-zone" override of type "redirect"
(see: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-local-zone)
So, for any future reader, I'd say to think of the wildcard host override as "anything that ends in domain.com", including just domain.com.
So I believe there is no point in trying to open some feature request on the Unbound Github about this. (which brings me back to thinking there must be some better/other way people are doing this)
Though this (https://serverfault.com/questions/659990/unbound-exceptions-to-local-zone-rules-for-specific-subdomains-and-main-domain) (ancient) StackExchange post makes me think that there could maybe be something to improve on the OPNsense side of things. Especially, one user there says the order matters, but there is no way to change the order via OPNsense GUI.