Messages

[zone]

There is a note in that link to the docs. I think that is what you are missing: zone, then hosts.

Note:
.internal is the IANA and ICANN approved TLD (Top Level Domain) for internal use. If you instead own a TLD, e.g., example.com, you could create a zone thats not used on the internet, e.g., lan.internal.example.com.

Hi.

The very last message before yours was about exactly the same topic.

For more info, search "wireguard stale".

Regards.

[Same as b.]

Not only a privacy question, but control at hands, too.

On the privacy side, I can't see how DoT and DoH could help:

a. You use your ISP's DNS > they capture DNS + associated traffic (http, https, smtp...)
b. You use an external DNS > DNS server capture DNS data and your ISP captures associated traffic.
c. You use an external DoT or DoH DNS > Same as b.

In all the above alternatives, you lose recursion on your DNS, which becomes a forwarder and your ISP will always know your traffic, ISP doesn't care about DNS data.

d. You use your own DNS server > You are in control about filtering and no DNS data for free to other entities. ISP, of course, sees your traffic.

DNS data has no value for the ISP, as they have your traffic anyway. At least, don't give that info to one (or more) corps, orgs, or whatever.

That's my point of view about encripted DNS systems in small or even medium networks. That could be different for a multi-site bigger net. Other thinkings really appreciated, probably there are some benefits I am missing.

Regards.

Thank you all for your answers.

So this is the behavior I was looking for. I already have DNSBL running on Unbound. Will check the DNSSEC option and put a NAT redirect rule, to assure all clients have DNS access, even with other config out of my control.

I know that other DNS servers offer additional services, but I prefer to ask only root servers and keep control of what happen before/after that.

I see the point putting additional sever/s in the network, but, for now, I don't see the need for it. If Unbound can't resolve chances are the OPNsense machine has crashed (so no internet, too) or root DNSs have gone down (so no internet, too). Swapping the OPNsense for another machine or router would be a viable patch in that case.

Again, many thanks for your attention.

Hi all!

I recently moved 4 otherSense installs to OPNsense and added one more. Then I discovered this awsome forum and found a lot of interesting info and details about a lot of things about OPNsense and even networking.

I read this and then this one.

@Patrick M. Hausen says,

Unbound is a perfectly capable recursive DNS server that does not need any upstream.

so I removed the upstream servers in System > Settings > General and made sure "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked. My clients are either manual IP or reserved DHCP with only the OPNsense as DNS, have rules to block outbound traffic to port 53 and allow 53 on "This firewall" only. It just works as I supposed, according to Patrick's explanations.

Is this the way of having Unbound to do all the job described in the second link?