Topics

1

General Discussion / Unbound: Multiple Servers for Domain Override

« on: June 14, 2022, 12:43:38 pm »

If i enter multiple servers for the same Domain and the first server is offline, a client requesting DNS entries for the overridden domain is getting an error. Is it possible to have multiple entries for the same domain, so that even if one of the servers fails, a client is getting correct results?
I am trying to use the firewall as main DNS server for the clients, but since we are using Active Directory, our internal domain must be available too, even if one of the Domain Controllers is offline or updating or something like that.

2

German - Deutsch / DNS Domain Override mit Failover Möglichkeit

« on: June 10, 2022, 05:21:20 pm »

Hallo zusammen,

wenn ich im Unbound einen Domain Override konfiguriere scheint er entsprechende Anfragen nur an den ersten Eintrag bzw die erste IP weiterzuleiten. Wenn ich jetzt für Ausfallsicherheit mehrere DNS Server für die Domain betreibe, wie bekomme ich es hin, das bei Ausfall des ersten DNS Servers an den nächsten weitergeleitet wird?

Gibt es da eine Best Practice oder ähnliches?

3

Web Proxy Filtering and Caching / Fetching of intermediate Certificates

« on: February 24, 2022, 02:56:04 pm »

I have a transparent proxy up and running which also uses SSL bumping. It works for most websites but some SSL sites do not deliver their intermediate certificate like https://incomplete-chain.badssl.com/ for example. This results in opnsense presenting the following errors to a client:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

Since normal web browsers do not display that error and can verify the complete certificate chain there must be a way to download these missing certificates automatically. Can this be done in the web proxy too, so that even misconfigured servers can be reached?