Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - LemurTech

Pages1
#1
26.1 Series / Can Unbound DNSSEC be used with forwarding a private domain to Dnsmasq?
Today at 04:25:18 AM
I'm running OPNsense 26.1.1 with:
  • Unbound as the main DNS resolver (full recursion)
  • Dnsmasq for DHCP for two VLANs (1 and 12); DNS listening on port 53053
  • Windows AD domain: sarangan.lan (VLAN 1, AD DNS forwards to Unbound

Internal DNS domains
  • sarangan.lan - Windows domain, VLAN 1
  • iot.lan - IoT devices, VLAS 12 - pointed to Unbound
  • infra.lan - APs, switches in both VLANs - pointed to Unbound

Architecture
  • VLAN 1 domain clients use AD DNS
  • DCs forward all non-AD queries to Unbound (192.168.2.1)
  • Unbound does full recursion for public domains
  • Domain Override in Unbound: iot.lan -> 127.0.0.1:53053 so Unbound forwards iot.lan to Dnsmasq
  • Dnsmasq has DHCP reservations with hostnames under iot.lan

Behavior
With DNSSEC disabled in Unbound, everything works:
  • somedevice.iot.lan resolves (from VLAN 1 or from OPNsense)
  • DCs forward iot.lan queries properly
  • Unbound forwards to Dnsmasq correctly

If I enable DNSSEC, resolution for iot.lan starts failing within 30 seconds:
  • Queries return NXDOMAIN
  • Disabling DNSSEC immediately fixes it

Example (works, then stops working):

Code Select
root@fw01:~ # nslookup emporia.iot.lan 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   emporia.iot.lan
Address: 192.168.12.86

root@fw01:~ # nslookup emporia.iot.lan 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find emporia.iot.lan: NXDOMAIN

I've tried:

  • Adding iot.lan, infra.lan, and sarangan.lan to Insecure Domains (these seem to be added automatically in the config when forwarding to Dnsmasq is configured, but I added them anyways).
  • Disabling Strict QNAME Minimisation
  • Disabling DNSSEC hardening
  • Clearing caches
  • Restarting services

The issue persists as long as DNSSEC is enabled.

I have been all over the interwebs and have had long discussions with the AI oracles. Is it expected behavior that Unbound DNSSEC validation conflicts with forwarding a private, non-delegated TLD like .lan to Dnsmasq?
#2
General Discussion / Re: Changing from Sophos UTM to OPNsense
December 18, 2022, 09:00:38 PM
Hi Kosta! Just wanted to let you know that I am in a very similar place as you were last year: coming from Sophos UTM, consistently exceeding the 50-ip limit with all my IoT devices, with a site-to-site IPsec VPN with another UTM at the office, Lets Encrypt, a number of WAF/Web Protection rules, and a home lab vSphere infrastructure.

I now have OPNSense set up behind my UTM, and am double-NATing my VLAN of IoT devices to hide them from Sophos. So I no longer have the IP problem, per se. But I eventually would like to just move completely to OPNSense. How has the transition gone for you? I wonder if you have any links/pointers/gotchas to share around setting up the VPN and the WAF. I hope it's worked out for you!



Pages1