[SOLVED] Unbound DNS Override for Specific Subdomain – Alternative Solutions?

[paul_]

Hi everyone,

I'd like to briefly explain my setup: I'm running an internal reverse proxy, and I use Unbound to resolve all DNS queries for *.mydomain.net via host overrides, forwarding them to my Nginx proxy. Now, I'd like to forward only a specific subdomain, e.g., sub1.mydomain.net, to a different IP, while all other subdomains (e.g., sub2.mydomain.net) should resolve to the default wildcard DNS IP.

Unfortunately, I haven't been able to achieve this with Unbound. Does anyone have an idea how to implement this? If switching to another DNS plugin is necessary, that's not a problem—my main requirement is that I can use upstream DNS servers via DoT or DoH.

Any suggestions would be greatly appreciated!

Thanks in advance and BR
Paul

[Patrick M. Hausen]

Query forwarding does not do what you intend?

[paul_]

No, I´m afraid not...It can just forward to a DNS-Server if i got that right and I only have nginx running where i need this *.mydomain.net to point to and sub1.mydomain.net should point to another nginx server with another ip...

[jata]

This is an interesting thread and I am trying to do something similar. Keen to see what is possible and how...

I currently have a reverse proxy running on 2 servers (that host end-user services) on my LAN (homelab) and use duckdns with wildcard for two domains make it all work.

I'd like to be able to get it all to work using just one reverse proxy but I haven't found a way (yet)

[dMopp]

A bit dirty but:
- change unbound zone mode to transparent
- add specific subdomains to unbound
- enable dnsmasq with another port then 53
- forward domain to dnsmasq
- add wildcard to dnsmasq

That's what coming in my mind right now

[paul_]

I mean, the idea isn't that bad, haha! 😂 Somehow, I can't create a wildcard host override in DNSMasq...

Any ideas?

[Patrick M. Hausen]

BIND? BIND definitely supports wildcard A records - I don't know if the OPNsense UI permits it, though.

[viragomann]

Anyway, Unbound actually would support this, but the OPNsense GUI doesn't give you an option to configure it.

The custom options box was sadly removed in recent versions. That's really annoying.

I read in another thread, that you can upload custom config files, which are included into the settings then. But this also seams not to be a practicable solution.

[paul_]

BIND? BIND definitely supports wildcard A records - I don't know if the OPNsense UI permits it, though.

Wonderful idea, and it works like a charm! I've set BIND to listen on address 8053 and created a primary zone for mydomain.net. I've also set up query forwarding from Unbound to BIND for mydomain.net. The sub.mydomain.net is still configured as a host override on Unbound, and everything works as expected. Thanks for your help!

[jata]

Can you explain a little more about exactly how/what you did using BIND please @paul_

I am not sure what to start...

[paul_]

Can you explain a little more about exactly how/what you did using BIND please @paul_

I am not sure what to start...

First, go to the Overrides section in Unbound and create a subdomain, sub.mydomain.net, and point it to the IP address you want it to resolve to.

Next, install BIND by navigating to the Plugins section and selecting the BIND plugin. After installation, set the listen port for BIND to 8053.

Then, create a primary zone for mydomain.net in BIND. Be sure to add NS records for your domain by setting ns1.mydomain.net as the nameserver. You'll also need to create an A record for ns1.mydomain.net and point it to the IP address of your OPNsense firewall.

Afterward, create a wildcard DNS record (*.mydomain.net) and point it to the additional IP address you want it to resolve to.

Once all the necessary records are created, save the configuration in BIND.

Finally, return to Unbound and go to the Query Forwarding section. Add mydomain.net as a domain to forward, and set it to forward queries for mydomain.net to the OPNsense IP at port 8053.

Hope this works for you too :-)

[jata]

Thanks for this info. I will give it a try and report back...

My understanding of what this can/should enable is a bit more flexibility around internal IP redirection so i can point *.rpi.mydns.duckdns.org to 192.168.1.3 and *.mpc.mydns.duckdns.org to 192.168.1.5 (for example)


I have adguard in my config so I think the setup for me is adguard (port 53) --> unbound (port 5335) --> BIND (port 8053)

[paul_]

Thanks for this info. I will give it a try and report back...

My understanding of what this can/should enable is a bit more flexibility around internal IP redirection so i can point *.rpi.mydns.duckdns.org to 192.168.1.3 and *.mpc.mydns.duckdns.org to 192.168.1.5 (for example)


I have adguard in my config so I think the setup for me is adguard (port 53) --> unbound (port 5335) --> BIND (port 8053)

Hi,

I don´t know about Adguard very much maybe you can set dns zones and custom redirects in there also, it´s worth a try!

Or you could also try to just redirect *.mpc.mydns.duckdns.org via unbound to your 192.168.1.5 and *.rpi.mydns.duckdns.org to 192.168.1.3.

I think that should work too.

[estebang]

I've re-read your OP several times to try to avoid a pointless contribution... (an opening comment like that almost guarantees one), but I'm pretty sure I'm achieving what you want to do only with unbound with a very similar setup.

I catch all local requests to my *.mxxxxxxx.org domain which are directed to a caddy reverse proxy container with a lan ip address.

We have some public code demo sites such as dev1, dev2 at dev1.mxxxxxx.org with public IP addresses. In Unbound overrides:

Host: *    Domain: mxxxxxxx.org          Value: 192.x.x.x   Descrip: Caddy Reverse Proxy
Host: *    Domain: dev1.mxxxxxx.org   Value: 20.x.x.x    Descrip: Public webserver IP address

Does this not work for you?