25.1.6 - DNS/DHCP best practice

Started by gstyle, May 08, 2025, 03:51:39 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 6 7 8
User actions
June 07, 2025, 12:10:04 PM #105 Last Edit: June 07, 2025, 04:34:21 PM by flushell
I haven't found an answer to my (edge-)case yet. I have a real domain on my IPv4/IPv6 address, resolvable from outside, let's say opnsenseyay.org. This points to port 80/443 points to a server in my network via firewall rules. I want my internal clients, if they ask for something.opnsenseyay.org to get a response from Dnsmasq only (via forwarding rule Unbound per the docs). If I do this, it resolves but it takes a long time. I found out that Unbound tries both: so it queries for outside (via 1.1.1.1 in my case) AND forwards to Dnsmasq. The queries from 1.1.1.1 return NXDOMAIN (because it doesn't exist) and from Dnsmasq there is a valid response via DHCP mappings. Both are technically not wrong. How to avoid Unbound from ever asking 1.1.1.1 for this domain "opnsenseyay.org". Apparently "Query Forwarding" doesn't work as I expect. Probably my bad, but how do I solve this?

EDIT: I think maybe my issue is this https://github.com/opnsense/core/issues/8708 and should be resolved in the next release?
June 07, 2025, 02:56:54 PM #106
Quote from: meyergru on May 20, 2025, 02:13:13 PMBy doing it like so:

1. Unbound is your main DNS resolver. It either resolves internet DNS by itself, working as a resolving DNS or you configure it to use an upstream server, like 8.8.8.8 via normal DNS or DNS-over-TLS. You also tell it to "Do not forward private reverse lookups". The import part is that you instruct it to forward specific domains, namely, you private domains, to 127.0.0.1:53053. This includes the reverse domains, say "168.192.in-addr.arpa".

2. You configure DNSmasq to run on port 53053 and set it up to resolve your internal domains, it will use the system name servers as upstream servers. These do not even have to use 127.0.0.1 (Unbound).

Thus, regular queries go to Unbound first and are either forwarded to DNSmasq (if they match fordwarded domains) or resolved by Unbound.
Because the forwarded, local domains can be resolved by DNSmasq, you will either get an IP or an NXDOMAIN. And since DNSmasq is only ever asked for internal domains (by Unbound only), its upstream server will never get used, even if it is Unbound by accident.
I don't think this is working like that currently, as evident by multiple reports about it. I think it is already resolved as https://github.com/opnsense/core/issues/8708 and related changes. I will try on next release.
Print
Go Up Pages 1 ... 6 7 8
User actions