Show Posts
1
24.7 Production Series / [WORKAROUND] opnsense 24.7.2 Unbound forwarding to private server riddle
« on: August 27, 2024, 11:53:52 am »
I'm stumped. I need help.
I have been going forward and backward for three days now, but I cannot get unbound to query my other domainserver properly.
Situation:
I have two locations in different buildings.
One is running a local LAN as the local '
I am at the location 'far' at the moment, as I am working on the firewall there. Counter intuïtive the 'far' LAN is currently my local LAN.
The 'ned' domain is the remote domain at the other location.
I have opnsense 24.7.2 and unbound running in the local 'far' location, serving the local 'far'-domain for the local LAN.
I have a different nameserver running to serve the remote LAN 'ned'-domain at the 'ned'location.
There is a wireguard VPN connection between the local 'far' domain and the remote 'ned' domain.
On the LAN in the 'far' domain, I can guery the 'ned' nameserver with dig (dig @<nameserver'ned'-IP> <hostname in 'ned' domein>).
succes. No problems.
Working.
On the GUI of opnsense firewall at 'far' I can use menu:/Interfaces/Diagnostics/DNS Lookup/ with
Hostname <hostname in 'ned' domein> and
server <address of nameserver in 'ned'>
Returns the expected result, i.e. the proper IP adress for the remote host.
Working.
Problem:
The 'ned' nameserver is in menu:/Services/Unbound/Query forwarding
The internet upstream is in menu:/Services/Unbound/DNS over TLS
I query my local unbound in the 'far'domain, expecting the query to be forwarded to the remote 'ned' nameserver:
dig <hostname in 'ned' domein>
I receive no address, but a SERVFAIL.
Not working.
In the unbound log, I can see it decided to query the remote 'ned' nameserver over wireguard, but it failed to parse the answer:
Okay. So I disabled menu:/System/Settings/Administration/DNS Rebind check
Did not fix the problem.
I removed 192.168.0.0/16 from menu:/Services/Unbound/Advanced/Rebind protection networks
Not working.
menu:/Services/Unbound/General/Enable DNSSEC support is unchecked
Not working.
I added 'ned' to menu:/Services/Unbound/Advanced/Insecure Domains
Not working.
I logged in with ssh and
Personal conclusions (I am wrong probably):
The connection is ok.
Firewall rules are ok.
Both nameservers are responsive.
The config of unbound for query forwarding is oke. Forwarding to public ns works oke, with DNS over TLS
There must be something in the configuration of Unbound that is stopping the query with an odd looking error, but I cannot find the problem, even with more logging switched on. In the log I can see the query being forwarded to the remote 'ned' nameserver, but I get the error while parsing the response.
Yet, when the 'ned' nameserver is queried from the LAN or even from the firewall, the response is fine.
Even unbound-host can do it!
I am stuck. I have no idea where to look next.
Help is appreciated.
cheers,
Michiel
I have been going forward and backward for three days now, but I cannot get unbound to query my other domainserver properly.
Situation:
I have two locations in different buildings.
One is running a local LAN as the local '
I am at the location 'far' at the moment, as I am working on the firewall there. Counter intuïtive the 'far' LAN is currently my local LAN.
The 'ned' domain is the remote domain at the other location.
I have opnsense 24.7.2 and unbound running in the local 'far' location, serving the local 'far'-domain for the local LAN.
I have a different nameserver running to serve the remote LAN 'ned'-domain at the 'ned'location.
There is a wireguard VPN connection between the local 'far' domain and the remote 'ned' domain.
On the LAN in the 'far' domain, I can guery the 'ned' nameserver with dig (dig @<nameserver'ned'-IP> <hostname in 'ned' domein>).
succes. No problems.
Working.
On the GUI of opnsense firewall at 'far' I can use menu:/Interfaces/Diagnostics/DNS Lookup/ with
Hostname <hostname in 'ned' domein> and
server <address of nameserver in 'ned'>
Returns the expected result, i.e. the proper IP adress for the remote host.
Working.
Problem:
The 'ned' nameserver is in menu:/Services/Unbound/Query forwarding
The internet upstream is in menu:/Services/Unbound/DNS over TLS
I query my local unbound in the 'far'domain, expecting the query to be forwarded to the remote 'ned' nameserver:
dig <hostname in 'ned' domein>
I receive no address, but a SERVFAIL.
Not working.
In the unbound log, I can see it decided to query the remote 'ned' nameserver over wireguard, but it failed to parse the answer:
Code: [Select]
[3506:1] error: SERVFAIL <hostname.ned. A IN>: all the configured stub or forward servers failed, at zone ned. from <nameserve'ned-IP> could not parse upstream response
Okay. So I disabled menu:/System/Settings/Administration/DNS Rebind check
Did not fix the problem.
I removed 192.168.0.0/16 from menu:/Services/Unbound/Advanced/Rebind protection networks
Not working.
menu:/Services/Unbound/General/Enable DNSSEC support is unchecked
Not working.
I added 'ned' to menu:/Services/Unbound/Advanced/Insecure Domains
Not working.
I logged in with ssh and
Code: [Select]
cd /var/unbound/etc
unbound-host -v -C ./dot.conf hostname.ned
Response is fine:
hostname.ned has address <hostname IPv4 address> (insecure)
hostname.ned has no IPv6 address (insecure)
hostname.ned has no mail handler record (insecure)
Personal conclusions (I am wrong probably):
The connection is ok.
Firewall rules are ok.
Both nameservers are responsive.
The config of unbound for query forwarding is oke. Forwarding to public ns works oke, with DNS over TLS
There must be something in the configuration of Unbound that is stopping the query with an odd looking error, but I cannot find the problem, even with more logging switched on. In the log I can see the query being forwarded to the remote 'ned' nameserver, but I get the error while parsing the response.
Yet, when the 'ned' nameserver is queried from the LAN or even from the firewall, the response is fine.
Even unbound-host can do it!
I am stuck. I have no idea where to look next.
Help is appreciated.
cheers,
Michiel