Unbound (maybe?) provides wrong ip when asked

Started by bob9744, February 15, 2023, 01:44:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 15, 2023, 01:44:08 PM
Hi all!

Noticed lately that attempts to resolve the name of my opnsense box take 30 seconds or so, so I thought I'd try pinging the name while letting the browser spin, trying to open the page.

Turns out that, rather than resolving it to 10.0.10.1 (vlan 10, where my pc sits), it somehow resolved to 10.0.40.1 (vlan 40 - dmz), where I disallow access to the web gui. _Eventually_ things must resolve, because navigation succeeds, and I'm in the gui.

Is this an issue because my PC has access to every vlan? `ipconfig` confirms the correct gateway ip (10.0.10.1) - why on earth would unbound return the router's address from a different vlan than the one I participate in?

Thanks!
February 15, 2023, 02:42:04 PM #1
One more thing that confuses me: if unbound creates a record for each device that receives an address from DHCP, including records for static DHCP entries, why does it ever forward odd constructs such as "MachineA.example.net.example.net" to my DoT DNS? Shouldn't it stop at "MachineA.example.net", which it has a record for?
February 15, 2023, 02:50:44 PM #2
Using DNS Lookup under Interfaces -> Diagnostics, I can lookup names registered during DHCP _without_ those queries being forwarded through DoT. But if I do an nslookup, the queries are forwarded before being resolved - why would that be?
February 15, 2023, 08:33:30 PM #3
Nvm - dug around and found how to constrain the answer using access control view.

I am curious tho - isn't this a common scenario, multiple subnets and therefore multiple IPs for the gateway? I know there were whole threads on keeping the unbound gui a bit cleaner by pushing advanced tasks to manually edit conf files, but I wonder if this is something so common that hoisting it into the gui would make sense.
February 15, 2023, 08:41:37 PM #4
Quote from: bob9744 on February 15, 2023, 02:42:04 PM
why does it ever forward odd constructs such as "MachineA.example.net.example.net" to my DoT DNS?
Because some client on your network sends it that question. The recursive nameserver does not add or remove search domains. The resolver libraries on client devices do.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 16, 2023, 12:19:40 AM #5
Quote from: pmhausen on February 15, 2023, 08:41:37 PM
Because some client on your network sends it that question. The recursive nameserver does not add or remove search domains. The resolver libraries on client devices do.

HTH,
Patrick

Ah, that makes sense - Win 11's doing it. Oh well, I guess it's fine - not like it's leaking anything of value - just annoying... thanks!
February 16, 2023, 09:42:31 AM #6
I tend to use different subdomains for my vlans just because of this. And I priorize them by handing out an ordered list of domain suffixes. That way, I can still retain a short name for a machine while allowing it to have different names/IPs in subnets (like opnsense itself).

The other option is to disable DNS entries for DHCP leases and controlling everything tightly. It is one of the reasons that I prefer dnsmasq over unbound, just a little more control over some behaviour.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
April 13, 2023, 12:25:14 AM #7
Quote from: bob9744 on February 15, 2023, 08:33:30 PM
Nvm - dug around and found how to constrain the answer using access control view.

Hello bob9744, I am having the exact same problem. Can you please elaborate on how exactly did you manage to solve this? Did you manage to do it through the GUI? I was going to implement a solution proposed here: https://forum.opnsense.org/index.php?topic=16833.0, which relied on field "custom options" to define access control views but just found out that it was removed from the GUI  so now I'm at a loss.

Thanks in avance.
Print
Go Up Pages1
User actions