1
23.1 Legacy Series / DNS query through Wireguard site-to-site tunnel
« on: May 11, 2023, 11:01:51 am »
I have been running opnsense for more than a year, and I have enjoyed it very much. I'd like to start off by thanking the superb opnsense team.
I run two sites, both with opnsense as firewall, and unbound as DNS.
Unbound in siteA would contain DNS records for all the internal servers in siteA. The set up in siteB is identical.
Both sites do not have static IP, and I've set up ddns for both siteA.example.com and siteB.example.com
Now I'm setting up a wireguard site-to-site tunnel between the two sites.
From siteA, I'd like to query unbound in siteB if (and only if) I'm looking for subdomains (e.g. server.siteB.example.com) in siteB.
I understand that I can do a domain override in unbound in siteA by adding an entry for siteB.example.com with the IP address for unbound in siteB. Since I don't have a static IP, I can only add the wireguard private static IP for siteB there.
This works fine as long as the wireguard tunnel is connected between two sites. However, if the tunnel is disconnected, I have problem reconnecting the wireguard tunnel because siteA would search for IP address of siteB.example.com using the private DNS in siteB, which is now unavailable.
This would be solved if only subdomains of siteB.example.com are override, but not siteB.example.com itself.
But it seems there is no way to domain override using a wildcard *.siteB.example.com in unbound.
May I ask what's the proper way to address this problem? Thank you.
I run two sites, both with opnsense as firewall, and unbound as DNS.
Unbound in siteA would contain DNS records for all the internal servers in siteA. The set up in siteB is identical.
Both sites do not have static IP, and I've set up ddns for both siteA.example.com and siteB.example.com
Now I'm setting up a wireguard site-to-site tunnel between the two sites.
From siteA, I'd like to query unbound in siteB if (and only if) I'm looking for subdomains (e.g. server.siteB.example.com) in siteB.
I understand that I can do a domain override in unbound in siteA by adding an entry for siteB.example.com with the IP address for unbound in siteB. Since I don't have a static IP, I can only add the wireguard private static IP for siteB there.
This works fine as long as the wireguard tunnel is connected between two sites. However, if the tunnel is disconnected, I have problem reconnecting the wireguard tunnel because siteA would search for IP address of siteB.example.com using the private DNS in siteB, which is now unavailable.
This would be solved if only subdomains of siteB.example.com are override, but not siteB.example.com itself.
But it seems there is no way to domain override using a wildcard *.siteB.example.com in unbound.
May I ask what's the proper way to address this problem? Thank you.