OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: jwe on December 10, 2016, 05:55:22 pm

Title: DNS Resolver host and domain override not working
Post by: jwe on December 10, 2016, 05:55:22 pm
Hi, i upgraded to 16.7.10.
I am using unbound/dns resolver with some domain and host overrides.

Since the update these are ignored, seems similar to https://forum.opnsense.org/index.php?topic=4041.0 but i am using the resolver, not the forwarder.

for example i set internalnet.local to forward to dns server at 10.4.4.1.
if i do nslookup for host.internalnet.local via opnsense i get a server error("Server failed") while google.com for example work as it should

if i do nslookup via ssh from opnsense host to server 10.4.4.1 for host.internalnet.local it works. Seems like just the forwarding is broken.

Same seems to be broken for host overrides.

Any ideas?
Title: Re: DNS Resolver host and domain override not working
Post by: franco on December 10, 2016, 07:16:43 pm
Hi there,

First time for resolver, hmm. The configuration for the resolver is more complex than its forwarder counterpart so we need to pin down exactly what's going on and this isn't enough yet.

Are all static hosts in the file /var/unbound/host_entries.conf ?

Are all static domains in the file /var/unbound/domainoverrides.conf ?

Are you using the options Register DHCP leases and/or Register static DHCP leases?

Is the option "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" checked or unchecked under System: Settings: General?


Cheers,
Franco
Title: Re: DNS Resolver host and domain override not working
Post by: jwe on December 10, 2016, 07:49:40 pm
1+2 The configured hosts/domains are in the files, yes(checked via ssh/cat)

3. "Register DHCP leases and/or Register static DHCP leases"  are both enabled.
As i have the german language active:
the checkboxes are ticked on:
"Registriere DHCP-Leases im DNS-Resolver"
and
"Registriere statische DHCP-Zuweisungen im DNS-Resolver"

4. "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" is unchecked. btw.: its not translated to german in the web gui :)

Title: Re: DNS Resolver host and domain override not working
Post by: franco on December 10, 2016, 08:03:38 pm
Can you check the logs under DNS Tools for reject messages for these queries? Also what Interfaces are selected to listen/send to in Unbound?

Zu 4.: der String wurde mit 16.7.10 korrigiert, es existiert also noch keine √úbersetzung. ;)


Cheers,
Franco
Title: Re: DNS Resolver host and domain override not working
Post by: jwe on December 10, 2016, 08:23:23 pm
Where do i find the logs for unbound?
Currently there are only very few log lines:
Quote
Dec 10 17:45:08   unbound: [10914:0] info: start of service (unbound 1.5.10).
Dec 10 17:45:08   unbound: [10914:0] notice: init module 0: iterator
Dec 10 17:45:04   unbound: [24617:0] info: 16.000000 32.000000 2
Dec 10 17:45:04   unbound: [24617:0] info: 8.000000 16.000000 2
Dec 10 17:45:04   unbound: [24617:0] info: 0.262144 0.524288 2
Dec 10 17:45:04   unbound: [24617:0] info: 0.131072 0.262144 6
Dec 10 17:45:04   unbound: [24617:0] info: 0.065536 0.131072 11
Dec 10 17:45:04   unbound: [24617:0] info: 0.032768 0.065536 9
Dec 10 17:45:04   unbound: [24617:0] info: 0.016384 0.032768 6
Dec 10 17:45:04   unbound: [24617:0] info: 0.000000 0.000001 15
Dec 10 17:45:04   unbound: [24617:0] info: lower(secs) upper(secs) recursions
Dec 10 17:45:04   unbound: [24617:0] info: [25%]=8.83333e-07 median[50%]=0.0527929 [75%]=0.123625
Dec 10 17:45:04   unbound: [24617:0] info: histogram of recursion processing times
Dec 10 17:45:04   unbound: [24617:0] info: average recursion processing time 1.347243 sec
Dec 10 17:45:04   unbound: [24617:0] info: server stats for thread 3: requestlist max 10 avg 0.584906 exceeded 0 jostled 0
Dec 10 17:45:04   unbound: [24617:0] info: server stats for thread 3: 71 queries, 18 answers from cache, 53 recursions, 0 prefetch
Dec 10 17:45:04   unbound: [24617:0] info: 64.000000 128.000000 2


Selected Interfaces for Listen are:
LAN,LAN_CONFIGURATIONONLY,WIFIGUESTS,WIFINORMAL <=Internal Networks
and WAN  <= external network, connected to a "FritzBox"

Outgoing Interfaces are simply "ALL" but i have a lot of them.. OPENVPN tunnels, HE6 Tunell etc.

I just found out that now host overrides are working. still domain overrids not working.


Here is my nslookup example:
* potato is opnsense
* ts.local.localdomain.net is the host i want to resolve
* opnsense can ping 192.168.50.2
* my client can ping 192.168.50.2
* opnsense/resolver config say domain local.localdomain.net should be overriddem by 192.168.50.2
* nslookup fails for ts....
* switching dns server  to 192.168.50.2=>nslookup resolves the host.
Quote
C:\Users\jan>nslookup
Default Server:  potato.local.localdomain.net
Address:  2001:470:7715:60::1

> google.com
Server:  potato.local.localdomain.net
Address:  2001:470:7715:60::1

Non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:4001:81a::200e
          172.217.22.14

> heise.de
Server:  potato.local.localdomain.net
Address:  2001:470:7715:60::1

Non-authoritative answer:
Name:    heise.de
Addresses:  2a02:2e0:3fe:1001:302::
          193.99.144.80

> ts.local.localdomain.net
Server:  potato.local.localdomain.net
Address:  2001:470:7715:60::1

*** potato.local.localdomain.net can't find ts.local.localdomain.net: Server failed
> server 192.168.50.2
Default Server:  local.localdomain.net
Address:  192.168.50.2

> ts.local.localdomain.net
Server:  local.localdomain.net
Address:  192.168.50.2

Name:    ts.local.localdomain.net
Addresses:  2a01:4f8:212:1621:0:d0d0:d1d1:1454
          192.168.70.11

Title: Re: DNS Resolver host and domain override not working
Post by: jwe on December 10, 2016, 08:34:52 pm
0o.. after setting Listening Port to "All" it works...


EDIT:
Also.. after playing around with the settings, the opnsense host has no more dns.
"Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" is still unticked, but it seems like unbound is not listening on 127.0.0.1.
Also the "Local" Entry is missing in the multi-select list for listening interface.

Checking "/diag_sockets.php" shows unbound for all my interfaces IPs except 127.0.0.1 while if selected "ALL" for listening ports it should state *:53 instead of all ips separated, right?