Messages

Sadly none of those (different) options allowed other dns records than A and AAAA for a override host to bleed through :(

/var

I have a webserver on my lan that i use a host override in unbound to resolve to the internal ip address from my lan. the dns zone has the hostname pointing to my public ip with a nat forward. This works well. However it appears that when you use a host override it masks any other dns records for that hostname. I use DNSSEC to sign my zone and this allows me to include SSHFP records for my hosts that run SSH servers. It contains the host ssh key and this allows ssh to skip the question about saving the ssh host key on the first attempt at connecting to the ssh server. But when I use the host override the SSHFP dns records for the host is not passed through unbound

example:

Code Select Expand

ivar@Neptun ~ % dig sshfp webby.webhotel.au

; <<>> DiG 9.10.6 <<>> sshfp webby.webhotel.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;webby.webhotel.au. IN SSHFP

;; Query time: 6 msec
;; SERVER: 2403:5806:f52c:1::1#53(2403:5806:f52c:1::1)
;; WHEN: Sun Feb 16 00:12:24 AEDT 2025
;; MSG SIZE  rcvd: 46

ivar@Neptun ~ % dig @1.1.1.1 sshfp webby.webhotel.au

; <<>> DiG 9.10.6 <<>> @1.1.1.1 sshfp webby.webhotel.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2693
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;webby.webhotel.au. IN SSHFP

;; ANSWER SECTION:
webby.webhotel.au. 900 IN SSHFP 1 1 534198865C1722360C2DED878B9F0E00CBE27243
webby.webhotel.au. 900 IN SSHFP 1 2 DEB6BB02DDA46CC09D4478896BF2E7E72AFC8454D905764B8520A629 A0BC4382
webby.webhotel.au. 900 IN SSHFP 3 1 2BE2EFA222E832FF12B7DB368C7DFE350A541AF6
webby.webhotel.au. 900 IN SSHFP 3 2 990DD9B3CB4D903F71EB0ECD7717C5AB5C5AC5DE8A16709DC1C21E8C A253734E
webby.webhotel.au. 900 IN SSHFP 4 1 7018BADFAD65C27C4EE0822DA2D8F559737BAB23
webby.webhotel.au. 900 IN SSHFP 4 2 12844754B9CB4E8363AEAA083C119CE76B2CB56DB145764318B14BE9 0DAF7EC5

;; Query time: 54 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Feb 16 00:12:35 AEDT 2025
;; MSG SIZE  rcvd: 286

Is there a way to configure unbound to only change the DNS records i specify in the overrides section (A and AAAA) and forward a request for any other dns records for the host to the normal external dns servers?

/ivar

I am running the latest versin of opnsense 24.7.8 witht the latest acme client installed.

When I create a new certificate it shows up in the systems trust store. However if I try to download the certificate or press the info icon nothing happens. (when trying to download I get asked for what format and password I want to use but nothing downloads).

If I reboot the opnsense box then the certificate works when pressing the information or download icon.

I have tried to restart the webui but that does not help. The only way I can download the certificate is to reboot he firewall.

Anyone else have seen this and know how to resolve the problem?

Thanks, I found it under:
Settings -> Firmware -> Status

Thanks again all for the help.

Regards,
Ivarh

Just upgraded to 24.1 and now wireguard no longer uses a tun device. However I now have a item in my plugin list that I cant delete that says: os-wireguard-go (missing)   N/A   N/A   N/A   N/A   N/A.

Is there a way to remove this expired entry from the plugin list?

I was able to resolve the issue by editing the confif.xml file to change <vpnid>1</vpnid> to <vpnid>3</vpnid>
under the section labelled
<openvpn>
     <openvpn-server>

I think there might be a bug in opnsense if you mix Wireguard and OpenVPN on the same firewall

I have a 3 instance wireguard setup that is using /dev/run{0,1,2} and they are working fine

I am trying to set up an openvpn server in addition to these, but it seems to allocate /dev/tun1 to use as the tunnel device.

The error logged is: Cannot open TUN/TAP dev /dev/tun1: Device busy (errno=16)

I see no way I can override the tun device selected.

Does anyone know how to resolve this?

I am trying to redirect all local dns requests destined for the internet to be redirected to the unbound resolver running on the opnsense firewall. This works great. However I have local dns server that needs to be able to talk to  3 external dns servers.

It is running as a hidden primary nameserver for several domains that are all signed with dnssec and the dnssec keys are stored on this server. It pushes its signed zonefiles to 3 external nameserver that are seen as the official nameservers for those domains. This so that if any of them are compromized the dnssec keys are not compromized since they are not stored on any of those nameservers.

Here is a badly drawn map of my setup



I am looking to set up rules so that when lan ip1 connects to ext ip1,2,3 it does not get redirected to the local ubound instance but is let through as if the dns redirection is not there. I have not been able to make this part of the setup work. I have a portforwarding rule in the nat subsection allowing the ext ip1,2,3 to be forwarded to lan ip1.

Also I have been unable to set up redirection of ipv6 dns requests to the local unbound resolver.
I have tried using the same rule for ipv4 changiong the redirect ip to ::1.

Here are my port forwarding rules (disabled to make the external nameserers reachable):


I am grateful for any assistance