Messages

Ok i see.
I cannot filter this behavior on Opnsense/Unbound site or ?
And is it sure that the client asks for the full "false" domain name? Or does he send a incomplete request which is completed by Unbound ?

Regards, Christoph
 

Hi everyone,

I recently ran into a strange issue where some devices in my network were unable to use certain apps (in particular, Android-based POS devices). After some troubleshooting, I checked the Unbound DNS logs on my OPNsense firewall and noticed that in several cases, the local domain was being appended to external FQDNs.

Here is an example
Time         Domain                  Action   Source      Return Code   Resolve time   TTL
2025-07-09 12:59:55   api.sunmi.com.               Pass   Cache      NOERROR      0ms      27   
2025-07-09 12:59:50   api.sunmi.com.               Pass   Recursion   NOERROR      394ms      32   
2025-07-09 12:58:45   api.sunmi.com.               Pass   Recursion   NOERROR      15ms      50   
2025-07-09 12:58:45   api.sunmi.com.domainname.local.                   Pass   Recursion   NXDOMAIN   14ms      85   

Or Attached u can find a Screenshot

As you can see, the query api.sunmi.com resolves correctly. However, there's also a request for api.sunmi.com.domainname.local, which fails with NXDOMAIN. This seems to be causing issues with app connectivity and delays.
Now I'm wondering:
Is this a client-side issue, or is Unbound responsible for appending the local domain?
For years I've used domainname.at as the system domain under System > Settings > General. Recently I changed it to domainname.local for testing, but the behavior still occurs.
If anyone has seen this before or knows how to prevent Unbound from appending the local domain to fully qualified hostnames, I'd really appreciate your input.
Let me know if you need more details!

Thanks, Chris

Sorry, missed your reply.

I cannot change or view the firewall rule in detail, probably because it was generated via the nat rule
But here

Hi,
Thats my Config
1.) VPN --> OpenVPN --> Instances (new)
Bind Adress: 127.0.0.1
(First Screenshot)


2.) Firewall: NAT: Portforwarding
Interface: WAN
TCP/IP v4
UDP
Source: GeoIP_Allow (GEO Ip Filtering)
Destination: desired WAN IP
Dest. Port: 1198
Dest. IP: 127.0.0.1
(second Screenshot)

What im Missing ?

Hi Patrick,

Thx. That was the solution i came across in the mean time.
I thought WAN adress would be the single WAN IP, WAN net would be all IPs.

A further question, idk if its right here in the topic:
How i can make an OpenVPN Server only available on one desired IP ?
I Set up the bind address to 127.0.0.1 and the nat rule according, but its not working

Regards Chris

Hi There,

We have an ISP Connection with multiple WAN IPs.
I Set up the Main IP years ago and everything worked as expected.
Because we having some services where the same ports need to be open, i though it would be an idea to manage that using the other WAN IPs.
So i Added the 2 Virtual IPs.

Now the Strange thing - the "old" Portforwardings (Firewall -> NAT -> Portforwarding) are set to "WAN address", but the ports are also open on the Virtual IPs.

When i Set a new Portforwarding with Destination "Virual IP1" for example, the open port is only visible on the Virual IP as expected.
What setting i have to use for the "Main WAN IP" or what im Missing here in my configuration ?
I want the Ports only open on the desired WAN IPs.

Regards, Chris