I have been a happy user of Opnsense for many years on my home network, having migrated from Sophos.
I recently upgraded to 26.1 and was trying to add an alias for a pod container on my management VLAN so it was accessible on my default internal VLAN, but it refused to work no matter what. It was then I noticed another issue - none of my wilcard overrides worked either!
After a breach a number of years ago where someone used an anydesk hack I have locked down any remote control domains by redirecting them to 127.0.0.1 and blocking/redirecting DNS to anything other than the firewall to stop manual intervention. This has always worked great, but in recent months I've had issues with a couple of my aliases not working as they should - and finally got round to fixing this week.
No matter what I do I cannot get the overrides to work properly, they work on the firewall locally, but trying lookup from a client machine always results in the apex and www for the domains directing to the actual ip addresses. Initially, it appeared that blacklisting was causing client to ignore the overrides because they were completely ignored; I manually deleted all the unbound xonfig, deleted from the template and reinstalled it. This cured a lot of the issues, but still www and apex refuse to resolve to 127.0.0.1 from a client.
Working with Claude it had me try a lot of things and could only conclude that it couldn't really be done in 26.1.x - which I can't believe! I even tried adding manual blocklists config files, which resulted in exactly the same problem.
Can anyone offer any advice of the workaround for this? It appears since the revamp of Unbound, functionality is broken for overrides; I'm using ISC DHCP and it integrates well with Unbound, so don't really want to start moving to Kea dhcp as it doesn't have the same integrations.
Quote from: mightyi on Today at 01:03:48 PMNo matter what I do I cannot get the overrides to work properly, they work on the firewall locally, but trying lookup from a client machine always results in the apex and www for the domains directing to the actual ip addresses.
My two-bobs worth - I expect you've been down this path!
If the client machines are showing different responses to the same query, flush the DNS cache on the client machines and test again.
If the problem persists, check to make sure the DNS server being queried on the client machine is the same one you're querying on the firewall.