OPNsense Forum
English Forums => General Discussion => Topic started by: eugenmayer on June 03, 2018, 09:59:51 am
-
I am using a public TLD for which i use the private-domain flag in unbound and also a domain override.
So lets assume it company.com - i use the namespace <namspace>.company.com as a internal domain, so internal.company.com. (Domain override in unbound).
The problem now is, that i am using a tool form ACME DNS-01 challenges which will do a dns lookup on the default DNS server ( OPNsense in this question ) searching for a NS record ( primary nameserver for company.com ) like
dig mysub1.internal.company.com NS
during the challenge. If it finds a NS record, it will poll the primary server for a TXT record created durin DNS-01- if it does not find a NS server it will fail.
Apperently with OPNsense + unbound + domain override that NS responses are all empty. I ask myself how could i potentially fix that.
So
dig mysub1.internal.company.com NS
and
dig internal.company.com NS are emt
are empty, since the domain override is on internal.company.com
dig company.com NS
will return the problem primary NS (public server)
Any hints on how to solve this?
-
NS records can be created in an advanced configuration. The configuration like looks like the one generated here in the code:
https://github.com/opnsense/core/pull/2097/files#diff-a89985242e1eea6a91d3e103e3353d5cR594
-
thank you @fabian. Not sure what you refer to in the commit .. those things? https://github.com/opnsense/core/pull/2097/files#diff-a89985242e1eea6a91d3e103e3353d5cR584 .. Thanks
-
for anybody running into that, use "typetransparent" instead of "transparent" in unbound
-
Sorry for the necroposting but feels relevant to the original quest, is this possible today?. I need SOA/NS records for the domain managed by the firewall, it's basically to emulate a "well behaved" authoritative DNS?
-
for the record, this is the way: https://docs.opnsense.org/manual/unbound.html#advanced-configurations
If running CARP, configuration should be done on both nodes.
-
I am having the same problem too, but neither switching to "typetransparent" in Unbound -> General
nor creating a Template with
server:
private-domain: intern.mydomain.de
private-domain: video.mydomain.de
allowes me to resolve SOA/NS records.
Reading the unbound docs:
private-domain: <domain name> Allow this domain, and all its subdomains to contain private addresses
I don't understand how this would enable/create SOA/NS records.
Am I missing something? How could I create SOA/NS records ?
-
You have to create local-zone and local-data entries (see the unbound.conf man page). But please remember:
4. Non-Goals
- An authoritative name server
- Too many Features
https://www.nlnetlabs.nl/documentation/unbound/requirements/
Cheers
Maurice
-
Hi Maurice,
4. Non-Goals
- An authoritative name server
so what would you recommend ?? Installing os-bind as an authoritative name server on opnsense?
Do you know of any documentation how to configure bind together with unbound in OPNsense ?
Thank you very much
Klaus
-
@kd.gundermann, depends on your use case. If you want an authoritative name server running on OPNsense itself, the BIND plugin is currently the go-to option. Or you run a name server on a separate machine (which is what I do).
There is some info about the BIND plugin in the official OPNsense docs, otherwise just search the forum.
Cheers
Maurice