Messages

Thanks for yours suggestions.

*Regarding DHCP/VLAN:*
I forgot to add one thing - conditional forwarding should be done for specific clients *and* domains.
Hence DNS server assigned over DHCP or enforced DNAT of all requests to a DNS server is not suitable here.

*Regarding external server:*
OPNsense is my main router and a firewall rule is created based on ipsets (using alias with type "External").
So, DNS resolver needs to reside within same machine to fill this corresponding BSD `pf` (Packet Filter) table for ipsets.

---

In dnsmasq you can do:
```
server=/example.com/1.1.1.1         # forward domain example.com to 1.1.1.1 DNS
ipset=/example.com/my_whitelist_alias         # whitelisting IPs with firewall rule
```
But this misses forwarding decisions based on client IP - and dnsmasq can't do that to my knowledge.
After more research: dnsmasq at least seems to be able to forward the original client IP via `--add-subnet=32,128`, which is ECS (https://en.wikipedia.org/wiki/EDNS_Client_Subnet). So it might delegate this job to another resolver like BIND.

1. Is os-bind (BIND) plugin mature enough and safe to use? I'd like to not resort to external plugins, where possible - but if that's the way, I am OK with it.
2. Can BIND plugin configure a view based on this original IP delivered over ECS?
3. Alternatively: any experience with starting a second dnsmasq instance manually? Does OPNsense UI provide a way to configure CLI startup/boot scripts?

Hi, I have two basic requirements in my home-lab:

1. conditional forwarding of DNS requests to different servers, depending on client IP
2. firewall rule with whitelist of IPs, whose domains were resolved by my DNS server       

Specific clients should be forwarded to different DNS servers, e.g. the one from VPN (might also be called source IP-based forwarding of DNS requests).                         
The firewall rule is usually done via ipsets/nftsets (I've read the implementation on FreeBSD are pf tables).             

Some thoughts on possible solutions:             
- Unbound can act as recursive resolver, but neither supports ipset nor source-based IP forwarding
- dnsmasq supports ipset, but no source-based IP routing; also only DNS forwarder
- BIND to my knowledge supports conditional forwarding of source IPs via views, but no ipset support; also only plugin and not part of core OPNsense

So, what I am doing now is using dnsmasq together with Unbound:       
Client -> dnsmasq (forwarder) -> Unbound (rec. res.) -> nameservers (Inet)

I am missing conditional forwarding here. On first sight, we could use BIND:       
Client -> dnsmasq (forwarder) -> BIND -> Unbound (rec. res.) -> nameservers (Inet)

But that probably doesn't make so much sense, as BIND gets the source IP from downstream dnsmasq, not the original client IP.

That leaves one remaining solution: spawn an additional dnsmasq instance for conditional forwarding (given two groups of clients).
Having explored OPNsense web GUI, it seems I can only have one instance of dnsmasq though.
 
Hence, not sure, what is the best solution here. Any thoughts?

Hm still no solution. Might this be a OPNsense (and/or Unbound) bug?
Imagine your internet being disrupted for a couple hours or so, and you are not able to resolve local host names, despite having a local resolver responsible for this private domain.
I can't believe, DNSSEC would not support such cases - just want to ignore for private domain.

Hi together,

I am currently using a private, LAN-only domain "home.arpa" with Unbound recursive resolver and DNSSEC for validation of public domains.
First off, this setup works well most of the time: Public domains supporting DNSSEC are answered with SECURE, others with INSECURE. Besides, DNSSEC responses for home.arpa addresses are labeled as INSECURE and just work.

Issues arise, when upstream internet router is powered off periodically for some hours: In this time (after cache invalidation), not only public names like NTP domains are not resolved: responses to *internal* hostnames like mail.home.arpa are also discarded as BOGUS (refused upstream) with SERVFAIL. For example this leads to batch jobs not sending mails.

My assumption so far is (no expert, please correct me): DS record from arpa. cannot be fetched, which leads chain to invalidate sub-domain home.arpa.
But settings "Private Domains" and "Insecure Domains" under Unbound tab are already set to home.arpa.
Hence I am asking: Isn't the purpose of these settings to ignore any missing/invalid DNSSEC report for home.arpa, or am I missing some setting?

Current setup:
- System - Settings - General
    - Domain: home.arpa
- Services - Unbound DNS
    - General
        - Enable DNSSEC Support: checked
        - Local Zone Type: static
    - Advanced
        - Private Domains: home.arpa
        - Insecure Domains: home.arpa
        - Harden DNSSEC Data: checked
        - Aggressive NSEC: checked

OPNsense 24.7.10_2

Thanks for any hints.