Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
unbound: unblock-lan-zones
« previous
next »
Print
Pages: [
1
]
Author
Topic: unbound: unblock-lan-zones (Read 4654 times)
osn1803
Newbie
Posts: 15
Karma: 1
unbound: unblock-lan-zones
«
on:
January 31, 2021, 08:55:43 am »
Salutations --
Just thought I'd note, as we close in on the drop-dead date for "Custom options" in the unbound GUI, that my use for this feature is to add this section:
server:
unblock-lan-zones: yes
I forward requests for my own domain to an internal authoritative server using overrides, and the above declaration is needed to make the PTR lookups work for RFC1918 addresses. If you felt like adding a toggle for that in the GUI someday, that'd be appreciated; else I'm fine with adding it manually in /var/unbound/etc in future.
Thanks again for an outstanding piece of software.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: unbound: unblock-lan-zones
«
Reply #1 on:
February 02, 2021, 03:28:24 am »
Did you add domain overrides for your RFC1918 reverse lookup zones (like [..].168.192.in-addr.arpa)? These work without setting unblock-lan-zones. This option is only required for
upstream
RFC1918 PTR record lookups.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
osn1803
Newbie
Posts: 15
Karma: 1
Re: unbound: unblock-lan-zones
«
Reply #2 on:
February 03, 2021, 12:44:59 am »
Thank you for your note. Yes, the reverse zones are in the overrides (168.192.in-addr.arpa, as well as a v6 net block). PTR lookups from attached clients definitely don't work unless unblock-lan-zones is specified. I'm not anyone's expert on DNS, so I may misunderstand what is meant by "upstream", but the authoritative server is on a different network from the client, beyond the unbound resolver (via another LAN route, not the WAN).
«
Last Edit: February 03, 2021, 12:51:11 am by osn1803
»
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: unbound: unblock-lan-zones
«
Reply #3 on:
February 03, 2021, 04:39:14 am »
Does the IPv6 reverse lookup zone use ULAs (.d.f.ip6.arpa)? I was indeed able to identify a bug which breaks such domain overrides:
https://github.com/opnsense/core/pull/4663
But IPv4 reverse lookup zones should not be affected. I use several .in-addr.arpa domain overrides with RFC1918 addresses and they work just fine (without 'unblock-lan-zones'). Could you double-check?
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
osn1803
Newbie
Posts: 15
Karma: 1
Re: unbound: unblock-lan-zones
«
Reply #4 on:
February 03, 2021, 08:26:46 am »
Well. That's puzzling. Or I have no idea what I'm doing.
On a hunch, I UNchecked "Disable DNS rebinding check" in System->Settings->Administration, and sure enough, reverse lookups for overridden zones now work correctly without unblock-lan-zones. That is the opposite of what I'd expect the effect of "Disable DNS rebinding check" to be, based on the help text:
"When this is unchecked, your system is protected against DNS Rebinding attacks. This blocks private IP responses from your configured DNS servers. Check this box to disable this protection if it interferes with web GUI access or name resolution in your environment."
I'm not sure I understand why unchecking that allows PTR queries for private addresses, and selecting it causes them to fail.
Re: IPv6 addresses - PTR lookups for those were not affected in my case, because mine are publicly routed (I have an HE tunnel allocation). The IPv4 addresses are all in 192.168/16.
Thank you very much for the info.
Logged
Maurice
Hero Member
Posts: 1213
Karma: 158
Re: unbound: unblock-lan-zones
«
Reply #5 on:
February 03, 2021, 04:47:38 pm »
You found another bug!
Disabling DNS rebinding checks should indeed not break domain overrides for private reverse lookup zones.
Unbound by default filters all reverse lookups for private and reserved IP addresses. When you add a domain override for a reverse lookup zone, OPNsense adds an exception (typetransparent local-zone) which excludes that zone from filtering. But these exceptions are only added for IPv4 reverse lookup zones (bug #1) and only if DNS rebinding checks are enabled (bug #2).
I added another patch which should fix bug #2.
Logged
OPNsense virtual machine images
OPNsense aarch64 firmware repository
Commercial support & engineering available. PM for details (en / de).
osn1803
Newbie
Posts: 15
Karma: 1
Re: unbound: unblock-lan-zones
«
Reply #6 on:
February 03, 2021, 07:23:13 pm »
Well, I'll be darned. Thank you!
So, the end result is that I can simplify my configuration, since I won't need unblock-lan-zones. Win-win.
Cheers, and thanks again.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
unbound: unblock-lan-zones