Show Posts
1
22.1 Legacy Series / Unbound DNS and separate zone for VLAN/LAN
« on: April 11, 2022, 03:03:46 am »
I haven't had any luck finding an answer to this, but I may know what the answer is.
I have opnsense configured with a VLAN. Unbound listens on my LAN interface, and the VLAN. They are configured on different "local domains", i.e. lan1.lan, lan2.lan. LAN can talk to VLAN, but VLAN can't talk to LAN. (Blocked in the firewall). Think of it as a guest network that my main network can talk to, but it can't talk to the main network.
I have unbound configured to register DHCP static mappings and DHCP leases. Everything is working well, and hosts on the main LAN are assigned a lan1.lan record, and hosts on the VLAN are assigned a lan2.lan record (in DNS). What I'm trying to do is block the VLAN and Unbound from resolving hosts on the main LAN network. For instance, on the VLAN, a DNS query for a system on the main lan (lan1.lan) should not resolve. It looks as if Unbound uses a single zone for all records (my main LAN hosts/ptr and vlan hosts/ptr are part of the same zone). I want to prevent hosts on the VLAN from being able to successfully resolve hosts/IPs on the main LAN. The firewall will prevent any communication to the hosts directly, anyhow, but I'd also like to prevent resolution at the DNS level.
Is this possible with Unbound included with OPNsense? I've searched everywhere for an answer, but I don't see an option to split the lan1.lan and lan2.lan zones so that lan2.lan cannot resolve names on lan1.lan. I'm thinking that perhaps I could bind unbound to lan, and dnsmasq to vlan, but I'd prefer to stick with a single DNS resolver if possible, and this doesn't solve the problem if I add more VLANs down the road, either. Any help or insight is greatly appreciated.
I have opnsense configured with a VLAN. Unbound listens on my LAN interface, and the VLAN. They are configured on different "local domains", i.e. lan1.lan, lan2.lan. LAN can talk to VLAN, but VLAN can't talk to LAN. (Blocked in the firewall). Think of it as a guest network that my main network can talk to, but it can't talk to the main network.
I have unbound configured to register DHCP static mappings and DHCP leases. Everything is working well, and hosts on the main LAN are assigned a lan1.lan record, and hosts on the VLAN are assigned a lan2.lan record (in DNS). What I'm trying to do is block the VLAN and Unbound from resolving hosts on the main LAN network. For instance, on the VLAN, a DNS query for a system on the main lan (lan1.lan) should not resolve. It looks as if Unbound uses a single zone for all records (my main LAN hosts/ptr and vlan hosts/ptr are part of the same zone). I want to prevent hosts on the VLAN from being able to successfully resolve hosts/IPs on the main LAN. The firewall will prevent any communication to the hosts directly, anyhow, but I'd also like to prevent resolution at the DNS level.
Is this possible with Unbound included with OPNsense? I've searched everywhere for an answer, but I don't see an option to split the lan1.lan and lan2.lan zones so that lan2.lan cannot resolve names on lan1.lan. I'm thinking that perhaps I could bind unbound to lan, and dnsmasq to vlan, but I'd prefer to stick with a single DNS resolver if possible, and this doesn't solve the problem if I add more VLANs down the road, either. Any help or insight is greatly appreciated.