OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: mestafin on April 04, 2020, 05:33:40 pm

Title: Unbound DNS
Post by: mestafin on April 04, 2020, 05:33:40 pm

I have two separate LAN networks, each behind an OPNsense firewall with two private domains:

aaa and bbb

The two networks are link via a site-to-site VPN;

On each network, Unbound is configured as the local DNS server to to resolve local host names of the format:
 
host1.aaa and host2.aaa for the one network and host3.bbb and host4.bbb for the other network.

How do I configure the Unbound DNS server on the aaa domain to forward queries for hosts on the bbb domain to the Unbound server on the bbb domain?

Title: Re: Unbound DNS
Post by: stefanpf on April 04, 2020, 05:58:10 pm

You can use a Domain overwrite with the IP of the Others Side.

Title: Re: Unbound DNS
Post by: mestafin on April 04, 2020, 06:45:46 pm

I have already done that and created an access list entry for both Unbound servers to allow queries from the other network, but it still cant resolve the other network

Title: Re: Unbound DNS
Post by: mestafin on April 04, 2020, 06:47:39 pm

More information...

I can ping the other network from both sides, so there is not an access problem between the opnsense units

Title: Re: Unbound DNS
Post by: stefanpf on April 04, 2020, 07:26:50 pm

I personaly use it with ipsec:
- accesslist entry
- firewall rule for DNS (as I use an internal LAN IP at the overwriting)
that's it

Title: Re: Unbound DNS
Post by: mestafin on April 05, 2020, 09:48:58 am

Hi,

I also specified an internal LAN address on the other network for the domain overrides

Can you elaborate on the fw rule(s) that you have for DNS traffic between the networks please?

At the moment, I allow all traffic on the two IPsec interfaces. I can ping and access the opnsense gui unit from the other network using the internal LAN addresses, so I think traffic is being passed through.

The one network also has a number of VLAN's with the Unbound server listening on all interfaces.

The one network has a dual HA cluster, but I don't think that is the cause of the problem.

Any further advice will be appreciated

Title: Re: Unbound DNS
Post by: stefanpf on April 05, 2020, 10:37:51 am

I use a simple Rule (the sense itself forwards traffic to the domain-controllers):
Interface: IPSEC
IPV4+IPV6
Protocol: TCP/UDP
Source: ANY
Destination: This Firewall
Dst-Port Range: DNS(53)

Have you aready tried to access the remote dns servers directly via nslookup?

Edit: Not sure if this ist relevant: I defined the outgoing Interface at unbound settings with a local Interface (the Interface which network ist included in my vpn client subnet)

Title: Re: Unbound DNS
Post by: mestafin on April 09, 2020, 11:28:06 am

Thanks for help, it is working now.

Not exactly sure what fixed the issue