Messages

For any future reader with the same problem or hopes of managing DNS overrides automatically, I decided to over-engineer an app for this and released it.
Maybe someone could find it useful, it certainly works for my personal needs nicely.

You can find it here:
https://github.com/0x464e/traefik-opnsense-sync

Ok, I did some reading, and I learned that creating a *.domain.com override actually creates a "local-zone" override of type "redirect"
(see: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-local-zone)

So, for any future reader, I'd say to think of the wildcard host override as "anything that ends in domain.com", including just domain.com.
So I believe there is no point in trying to open some feature request on the Unbound Github about this. (which brings me back to thinking there must be some better/other way people are doing this)

Though this (ancient) StackExchange post makes me think that there could maybe be something to improve on the OPNsense side of things. Especially, one user there says the order matters, but there is no way to change the order via OPNsense GUI.

You can automate it via API so whenever you add or remove something in your reverse proxy it POSTs it to the exposed OPNsense Unbound API followed by a reload of the service.

Just gotta be a little creative hehe :)

Yeah, seems it's actually very simple via the API.
I guess I will do this, assuming no one makes me aware of some alternative way people use.

I'm just really having a hard time believing I'm not missing something, surely there must be a better way.

Also, about my question on "are dns services really supposed to work like this", would be nice if there was someone who knew an answer.
Because to me it just really seems like those shortcomings I listed should not be expected behavior.
I would love to post a feature request somewhere (maybe on the Unbound Github? Or is this more of an OPNsense thing? I have no idea how these things work)

Just dont use the wildcard. Im sure you dont have 100k subdomains on your reverse proxy.

Simplest solution for this.

I guess you are right, but is this really what people do?
Manually updating rules always when adding reverse proxy entries?
Surely there is a better way? I am just not aware of any alternatives, and not knowledgeable enough to think of ways this could be achieved.

Also really goes against my goals of my homelab being IaC driven as much as possible.
Quite annoying how I can have a very nice setup of applications being spun up via pipelines from containers and reverse proxy entries being dynamically created etc, but then I have to open up the OPNsense dashboard to type in some manual overrides.

If this is really how it must be done, I guess I should look into automating the creation of Unbound overrides via the API or whatever.
Hopefully that is possible.

Hi,

So Unbound wildcard host DNS override is really annoying me right now.
My use case is simple: *.mydomain.com -> reverse proxy, it works great, I can access my applications cleanly via the reverse proxy (e.g. application.mydomain.com -> reverse proxies me to 192.168.10.6:8472).

BUT, because I have a *.mydomain.com override in Unbound, now I am unable to do anything else with that domain except get routed to the reverse proxy.
I want to access just mydomain.com (no subdomain)? Nope, I get the reverse proxy.
I want to access something.mydomain.com, which would be something hosted on the public internet? No way to override, I must go through the reverse proxy.
I want to create an override server7.lan.internal.mydomain.com? Nope, it just matches the *.mydomain.com override and I get the reverse proxy.

I will say that this is my first time setting up anything like this and first time using any DNS service, but this seems like bad design to me.
Is this sort of behavior really intended?

I would expect:

• *.mydomain.com override, which clearly seems like a subdomain override, does not trigger if I am accessing mydomain.com
• *.mydomain.com override does not infinitely match all possible subdomains *.*.*.*...mydomain.com, only the first one
• An explicit override like service.mydomain.com should take precedence over *.mydomain.com, or there should be some way to order the overrides
• (Bonus) it would be very nice if it were possible to make some domain skip overriding (so e.g. blog.mydomain.com which would be hosted somewhere on the public internet could just be resolved normally by DNS)

Would I be correct in hoping that there could be something to be improved here, and I should/could make a feature request/bug report/whatever somewhere (where?).
Or is this just how DNS services are supposed to work?

If this is how DNS services are supposed to work, I really wonder how people are able to use their domain, utilize a reverse proxy, and have subdomains.
There must be something I'm missing and I would love to learn what a proper setup looks like.

To further emphasize my problem, I would divide these problems into two:

• (anything.)mydomain.com will be routed to my reverse proxy even if I wouldn't want it to, nothing I can do about it
• Any possible sub-sub(-sub-sub..)-domain will be routed to my reverse proxy, even if I would just want the first subdomain to be overridden, not further ones

For problem 1.. I can use a hacky workaround: Resolve the same domain again within the reverse proxy and use a public DNS server to resolve it.
But about problem 2, I don't think I can do anything about it. I'm just screwed. Pick one: ability to use a reverse proxy or ability to use sub-domains.

Good example for problem 2 is that I followed the tutorial from the documentation on how to connect Unbound and dnsmasq. Great, I am now able to reach my DHCP devices via dns via devicename.device.mydomain.com. But oops, now I want to use my reverse proxy so I have create the override *.mydomain.com -> reverse proxy and now all of this is broken.

Use 9.9.9.11, help us all keep malware out of our systems.

And if you use dst IP NAT for the guest VLAN subnet for dst port 53, then it doesnt matter what DHCP hands out, you can control where DNS goes using NAT.

Ok this is actually nice.
Just to clarify, you mean this and these would be the correct settings?

Services > Dnsmasq DNS & DHCP > DHCP options

Add an entry for your guest network interface, pick option #6 (dns-server), specifiy IP address to your liking.

Brilliant, thanks.
Any way to put a fallback DNS this way?
(I just put "8.8.8.8" to the "value" field)

If not, I'm not too worried about that, whatever, how often could a fallback even be needed for Google's DNS.

Hi,

First of all, I use Dnsmasq + Unbound, as recommended by the docs.

What I do:

In Unbound, I have DNS overrides, including wildcard overrides. They are meant for my trusted LAN network, with those I get forwarded to my LAN reverse proxy and get convenient access to all kinds of services in my network. It works fine.
Example override: *.mydomain.com -> reverse proxy ip


Problem:

Well now if I have a device on the guest network, it of course has firewall rules so it can't access any private networks.
But now if that device tries to add access anything on *.mydomain.com, it also hits the dns override that is meant for my LAN network, and it is of course denied access by the firewall and nothing happens.
Now you might think "where's the problem?", well many of my services under *.mydomain.com also have public dns entries and hit a public-facing reverse proxy of mine. Devices from the guest network should go through the public internet for these, just like any other device from the public internet does.

Overall, I feel like I would like the guest network to just use public dns (like 8.8.8.8 or 1.1.1.1). I don't think I have any need for the guest network to be using the same DNS my trusted LAN stuff does. But at the very least, I just need the guest network to not follow my dns overrides.


Any solutions?
ChatGPT has confidently told me multiple times to "just hand out 8.8.8.8 dns from the DHCP settings to the guest network". That would be very nice indeed, but I can not find from anywhere how this could be done, maybe it could be done for something other than Dnsmasq DHCP, or maybe ChatGPT is just hallucinating hard.

Via Googling I also find something about Unbound "views", which is apparently not supported from the GUI.
I won't even pretend to have understood what they are about, and it seems very advanced. Sure, I'll learn it if it's the only way, but I'd rather have something simpler.

I use different DNS names for services - going to the reverse proxy - and the hosts that run these services - going to the internal IP address.

- service.mydomain.com for application
- service.internal.mydomain.com to commect via SSH, database connections, whatever

Also Avahi can help with that.

Use https://myservice.mydomain.com in your browser, reverse proxy can do the letsencrypt magic and you do not need a port number. Use ssh myservice.local for admin access.

Works across OPNsense and different subnets with mdns-repeater.

Yeah thanks, I've realized now that what I wanted is pretty much impossible to do cleanly. And I for sure want one domain that goes to reverse proxy as is to be used with browsers and another domain to be used by other protocols to resolve just the ip of the service. I will go with this setup.

Although the original problem remains, that I need a dns override *.mydomain.com -> reverse proxy, but then when I have e.g. blog.mydomain.com (which is not hosted locally, but somewhere on the internet), it's an issue to access it. But well, I was able to get past that issue by the hack @Monviech suggested (reverse proxy points blog.mydomain.com -> blog.mydomain.com, but just doesn't use my DNS to resolve it)

You could just use DNS without a catch all override. That would be the simplest solution.

Would be very annoying to have to manually configure DNS entires all the time (as opposed to automatically having stuff come from e.g. docker compose labels).
Also, then I have to type ports at the end of urls for services which require some non-default port to be used to get access to the web UI.

Ok, well I've hit a realization here, this whole setup is pretty dumb. Yes sure, I can nicely access stuff with a browser by doing some_service.mydomain.com, but if I want to ssh, ping, nfs, whatever, some_service.mydomain.com this setup is totally useless for that. I will always just get the reverse proxy's IP.

Sigh,... I wonder what the correct way to do this stuff is.
I just didn't want the hassle of upkeeping dns overrides and other forwards in multiple different places.

Since the services you want to override and you host with your own domain should be quite contained, you could handle this with an sni matching layer 4 route in traefik. The target could be the original hostname. Traefik just should not use the same DNS server otherwise there will be a loop since it will send the own traffic to itself.

Just a funny idea. In Caddy this sort of thing works.

Oh yeah, so in Traefik I would forward blog.mydomain.com -> blog.mydomain.com, but I would just tell it to use e.g. 1.1.1.1 for DNS. Yeah this should surely be doable in Traefik. Though seems like quite a hack haha, and I wonder what downsides it could come with. I would prefer if there was some other way to do it.

Hi,

Before I start, I want to say that this is my first time setting up any custom network stuff and first time using OPNsense.
(Though I'm not anymore a complete beginner, I've had a few months of learning now and I'm very happy with my setup, except this thing I'm currently working on)
So, if you can immediately see that I should switch to doing something completely other than what I'm doing right now, let me know.

Ok, so my setup is as follows:

Running OPNsense 25.7.2
I own a domain, lets call it mydomain.com
I use Unbound + Dnsmasq (because the documentation seemed to recommend this)
I use Traefik as a reverse proxy
(And if relevant, I will also use AdDuard Home, though not set up yet though)
Traefik or AdGuard Home or any other extra service is not installed as OPNsense addons, they are virtualized elsewhere

What I want to do:
I want *.mydomain.com to go to Traefik reverse proxy where I am routed to where needed (so I can do e.g. proxmox.mydomain.com -> goes to 192.168.10.3:8006)
Ok, I can do that all good, I create a host override in Unbound DNS: *.mydomain.com -> Traefik LXC IP. All good, navigating to proxmox.mydomain.com goes through Traefik and gets me to the right place, great.

Issue:
Now when I have *.mydomain.com override, I'm in trouble if I have something hosted on the internet. Lets say a blog on github pages should be on blog.mydomain.com. Well if I try to go to blog.mydomain.com, I just get forwarded to Traefik and it will not be found. Same issue also with the apex domain mydomain.com, even that seems to get forwarded to Traefik.

I'm hoping I could add an override blog.mydomain.com -> "resolve dns normally", but it seems I can only override to specific ip address, which is not usable here.

Any advice?

And to prematurely answer any question "why do you have same domain for local services and potential public ones". Well I think it would be very nice and convenient (once it works correctly). Also some services are both local and public, e.g. if accessing immich in my LAN, everything should go through the lan, but also same domain should also work if I'm not on my lan.