Messages

If there are any details missing, I can provide anything that's needed

Ultimately, what I want to be able to happen is when a client on any VLAN, as long as they're allowed to access a server, they should be able to:

DNS Query to Router     -> If Local server (with domain I use internally), give them server IP
                                              -> If External server, go to NextDNS address set by DHCP option 6 addresses

So, currently, I have Unbound set at what I believe are defaults listening on port 53, no overrides and query forwarding to DNSmasq on 127.0.0.1:53053

I have all my static hosts set on the "Hosts" tab in Dnsmasq, with each host checked as "Local".

So, in the DHCP options, I can have option 6 set as just the router address for each VLAN, and be able to do local resolution to hosts in my networks, or I can add NextDNS Addresses as well, and not be able to resolve anything local, but I would have all the features of NextDNS working correctly.

What am I missing to be able to resolve local hosts, but forward every other address lookup to NextDNS per VLAN?

I mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.

I do use both NextDNS and ControlD, ControlD at home and NextDNS on the root Server. And while evaluating both services I did install and use ControlD's DNS forward proxy (https://github.com/Control-D-Inc/ctrld) at home. Very flexible and worth to checkout.

You can define multiple listeners, networks, rule for the listeners and upstream services (and more that I probably forgot about). Never tried with multiple NextDNS profile but I don't see a reason why it wouldn't work. There's no GUI element to it in OPNsense, the config happens in a TOML file

In my config below some devices have their own ControlD or NextDNS profile (MAC based) and queries for local DNS get forwarded to the *sense (network.0 & upstream.0):

Code Select Expand

[service]
    log_level = "info"
    log_path = ""
    cache_enable = true
    cache_size = 10240
    cache_ttl_override = 60
    cache_serve_stale = true

[listener]
  [listener.0]
    ip = '0.0.0.0'
    port = 53
    allow_wan_clients = true
    restricted = true

    [listener.0.policy]
      name = 'Policy @ Home'

      networks = [
          {'network.0' = ['upstream.0']}
      ]
      rules = [
        { '*.my.home.arpa' = ['upstream.5']}
      ]
      macs = [
       {"xx:xx:xx:xx:xx:xx" = ["upstream.2"]}, # Macbook Air M2 Wifi
       {"yy:yy:yy:yy:yy:yy" = ["upstream.1"]}  # Apple TV 4K Livingroom
      ]

[network]
  [network.0]
    name = 'Local LANs'
    cidrs = ['192.168.169.0/24', '10.11.0.0/16', '2aaa:bbbb:.../48']

[upstream]
  [upstream.0]
    name = 'ControlD - Firewall @ Home'
    type = 'doh'
    bootstrap_ip = '2606:...'
    endpoint = 'https://dns.controld.com/<a profile>'
    timeout = 5000

  [upstream.1]
    name = 'ControlD - Apple TV Living Room'
    type = 'doh'
    bootstrap_ip = '2606:...'
    endpoint = 'https://dns.controld.com/<another profile>'
    timeout = 5000

  [upstream.2]
    name = 'NextDNS - blockads Profile'
    type = 'doh'
    boostrap_ip = '2a07:...'
    endpoint = 'https://dns.nextdns.io/<profile>'
    timeout = 5000

  [upstream.3]
    name = 'Quad9'
    type = 'doh'
    bootstrap_ip = '2620:fe::fe'
    endpoint = 'https://dns.quad9.net/dns-query'
    timeout = 5000

  [upstream.4]
    name = 'DNS0.eu'
    type = 'doh'
    bootstrap_ip = '2a0f:fc80::'
    endpoint = 'https://dns0.eu'
    timeout = 5000

  [upstream.5]
    name = 'Local Unbound'
    type = 'legacy'
    endpoint = '127.0.0.1:10053'
    timeout = 5000


I would also be curious about this method, would you have to disable Unbound in order for this to work?

Thanks everyone for the responses, but do you guys know anyway to do the same thing in OpnSense alone?

I mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.

Mainly, what I'd like to do is have VLAN have it's own set of DNS servers it goes to, should the local Unbound server not be able to resolve it. I have some local servers that have proper URLs that I'd like to be able to access, and I have their overrides in Unbound, but if that doesn't go to anything local, then go to NextDNS and get the URL. Depending on the VLAN traffic originates from.

Hope this all makes sense, and thanks again

Hi all,

I was curious, for those of you using NextDNS or something similar out there. I have a couple different profiles setup in NextDNS and was wondering how I can apply each of those profiles to different VLANs on my networks?

Any help would be much appreciated.

If there are any errors, do you know where you can find the logs for the automations?

So, I thought the error might've been fixed, but apparently even though I'm able to ping my proxmox server's IP. It's still not grabbing from the IP range in 13.0.0.0/16.

Is there any other things I could be missing, and what can I present to help you see what's up?

Actually, I figured it out, VLAN 13 wasn't connected to Port 8 (the port connected to the router).

Once I did that, then addresses could be pulled.

The image below shows the VLAN not added to my port 8, which is causing the problems.

So, I've got some VLANs on my router

11 = IoT
12 = Kids network
13 = Servers

They are all setup in the same way (in the VLANs section of Interfaces), and all of them have the LAN as a parent. Outside of firewall rules, they all work except for the server one, They all have a default allow out rule at the end. The layout is the picture below.



However, anything connecting to the Servers VLAN refuses to connect, what could be wrong?

Alrighty, both of those suggestions made it work.

So, for anyone else:

• Setup SSH Keys properly (With your ssh-agent too)
• Make sure it works on Github
• Create a new repo (don't add or commit anything)
• The URL should be ssh://github.com/[username]/[repo].git
• The branch should be whichever one is the one setup (most likely master)
• Paste your SSH key
• Set username to 'git'
• Success! :-D

Yes, I do have the ssh key added, and it does work for other repos.

Just not the new one I setup for the configs, but at least I remember creating new ones for each of my projects and not coming across this yet.

I'll have to check and see if something's different on the others.

Took out the password, same result