OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: AndyX90 on February 10, 2018, 09:05:38 am
-
Hey guys,
i have strange problems with unbound and domain overrides.
I have configured a local domain override with xxx.local pointing to my domain controller and a reverse override also pointing on my domain controller.
If i check the resolution via Interfaces-Diagnostics-DNS Lookup it resolves the ip only on each 3rd or 4th try.
Attached some screens.
EDIT: I read somewhere that unbound could have problems with domains named *.local?
Thanks for help!
-
Try to enter following in Custom options in Unboud settings:
server:
domain-insecure: "yourdomain.local"
-
I did that, but the same behaviour.
If i click DNS-Lookup it resolves, but if i do it 5 times, it resolves 3 or 4 correct and the rest not.
So it's a ~50% chance...
-
You could also try to restrict Outgoing network interfaces to LAN only.
-
That would not be my favor. I want to use unbound as dns-resolver for internet-requests too.
-
When I look deeper I have similar problem.
I also have domain override for a .local domain. DNS lookup never fails when I do it from a connected pc or Linux client. However, when I test from the console on one of my OPNsense boxes I also get intermittent failures.
drill host.mydomain.localFails 25-75% of tries
drill @192.168.16.1 host.mydomain.local Works every time
drill ikea.comWorks every time
Something odd is going on.
-
Yeah i have multiple machines and the problem occurs on each of them..
Btw. my other domains don't end with .local.
Gesendet von meinem Pixel 2 XL mit Tapatalk
-
Why don't you configure your DHCP clients (from OPNsense DHCp server, assuming that's what you are using) to use the domain DNS server, and the DNS server on the DC (or wherever it is) to forward queries to OPNsense?
-
What about configure dnsmasq to forward ad domain to dc?
Wysłane z mojego Mi-4c przy użyciu Tapatalka
-
Why don't you configure your DHCP clients (from OPNsense DHCp server, assuming that's what you are using) to use the domain DNS server, and the DNS server on the DC (or wherever it is) to forward queries to OPNsense?
I want the Firewall itself to resolve my internal stuff..
My DC is DHCP and DNS Server.
Gesendet von meinem Pixel 2 XL mit Tapatalk
-
I want the Firewall itself to resolve my internal stuff..
My DC is DHCP and DNS Server.
Gesendet von meinem Pixel 2 XL mit Tapatalk
Did you configure the same domain in OPNsense?
-
I want the Firewall itself to resolve my internal stuff..
My DC is DHCP and DNS Server.
Gesendet von meinem Pixel 2 XL mit Tapatalk
Did you configure the same domain in OPNsense?
Yes.
Gesendet von meinem Pixel 2 XL mit Tapatalk
-
Strange.. I don't have a .local domain (I have another one), and initially I had your setup (which worked perfectly), then I switched to the one I mentioned in my previous comment (also works perfectly, and I actually threw in a Pi-hole as well as an added bonus)... I'm highly dependent on a good DNS chain as I use (and enforce) smart card authentication. It never failed on me.. Sorry to hear you are having problems.
-
It is domain-name independent. For example on other machines i have domains named *.lan or *.localdomain and the behaviour is the same :-/
Gesendet von meinem Pixel 2 XL mit Tapatalk
-
Windows clients append the domain suffix to hostnames, even if unqualified names are used (this is a feature called DNS devolution). So there are no "domain-name independent" names. Try nslookup from a client.
macOS clients hate .local domains.
If you don't have a DNS server that resolves the FQDN, or if you have multiple DNS servers and you did not configure the chain properly (forward lookups/DNS zones/root hints), or your domains are public domain names, you will have problems exactly as the ones you described (with the clients, can't say for sure if this happens from OPNsense itself). There's no way around that.
From my experience, it's an unrecommended design to override private domains, I personally never do. The right way to do it (IMO) is to query the DNS servers directly and configure correctly the forward lookups/root hints/DNS zones. The local DNS servers in question will also forward queries if they fail (for any reason) to resolve the query, ending up who knows where.
And there's the warning in OPNsense (attached image).
-
Windows clients append the domain suffix to hostnames, even if unqualified names are used (this is a feature called DNS devolution). So there are no "domain-name independent" names. Try nslookup from a client.
macOS clients hate .local domains.
If you don't have a DNS server that resolves the FQDN, or if you have multiple DNS servers and you did not configure the chain properly (forward lookups/DNS zones/root hints), or your domains are public domain names, you will have problems exactly as the ones you described (with the clients, can't say for sure if this happens from OPNsense itself). There's no way around that.
From my experience, it's an unrecommended design to override private domains, I personally never do. The right way to do it (IMO) is to query the DNS servers directly and configure correctly the forward lookups/root hints/DNS zones. The local DNS servers in question will also forward queries if they fail (for any reason) to resolve the query, ending up who knows where.
And there's the warning in OPNsense (attached image).
You don't understand me right.
I have about 25 different Firewalls in different domain environments. And this behaviour is on every opnsense firewall the same. Domain name doesn't matter.
Gesendet von meinem Pixel 2 XL mit Tapatalk
-
You don't understand me either, I guess. What I'm trying to say is that you should not override local domains at all from OPNsense. So you are doing it wrong on all 25 firewalls. So it doesn't matter if OPNsense has some freak unbound bug regarding local domain overrides, as you should not use local domain overrides at all.
-
You don't understand me either, I guess. What I'm trying to say is that you should not override local domains at all from OPNsense. So you are doing it wrong on all 25 firewalls. So it doesn't matter if OPNsense has some freak unbound bug regarding local domain overrides, as you should not use local domain overrides at all.
I did try it on 3 firewalls now for testing. I want to use the local override for single sign on with local override but i still want to use opnsense for caching DNS. My DC redirects to opnsense.
Gesendet von meinem Pixel 2 XL mit Tapatalk