[SOLVED] Unbound - overrides and do-not-query-localhost

[Patrick M. Hausen]

Hi all,

while discussing general BIND setup in this thread:
https://forum.opnsense.org/index.php?topic=21527.0

@thefrisianclause referred to the BIND plugin documentation which contains this part:

When you are using Overrides in Unbound you can not use do-not-query-localhost. Please remove the line and let Bind listen to your LAN IP with port 53530 instead of localhost. After this you can set the LAN IP in forward-addr.

See screenshot for the complete context.

My question: I was not aware of that restriction and I use "do-not-query-localhost: no" and a lot of overrides without noticeable problems. Am I missing something or is the documentation not accurate?

BTW: I am not using the deprecated "Custom Options" in Unbound but a separate config file as recommended.

Thanks
Patrick

[hushcoden]

BTW: I am not using the deprecated "Custom Options" in Unbound but a separate config file as recommended.

Thanks
Patrick

Hi, could you explain how you do that? Which config file?

Thanks.

[Patrick M. Hausen]

https://forum.opnsense.org/index.php?topic=21527.msg101196#msg101196

[hushcoden]

I have a few Unbound options which I load through "custom options" (I don't use BIND):

Code Select Expand

server:
   tls-cert-bundle: /etc/ssl/cert.pem
   harden-glue: yes
   use-caps-for-id: yes
   so-rcvbuf: 1m
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 1.1.1.2@853#cloudflare-dns.com

Since last year they are saying that at some point they will remove that section, and are you saying that I can create a custom config file to do same?

Thanks.

[chemlud]

sorry for OT, but harden glue no necessary

https://redmine.pfsense.org/issues/4402

[Patrick M. Hausen]

Since last year they are saying that at some point they will remove that section, and are you saying a I can create a custom config file to do same?

Yes of course. Put a file named "X-whatever-suits-your-fancy.conf" into /var/unbound/etc as I repeatedly wrote or linked to and that's that.

It's the official documented way now:
https://docs.opnsense.org/manual/unbound.html#advanced-configurations

[Patrick M. Hausen]

Now could anyone try to answer my question? What about overrides and do-not-query-localhost?

If there are really technical reasons not to use them in combination, I have to reconsider my entire setup. Reason why I want BIND on 127.0.0.1: whenever a physical interface goes down, e.g. because I update my switch or my ISP router and reboot them, BIND stops listening on that interface. So I lose DNS until I manually restart BIND ...

The note was added by @mimugmail and @franco in this commit:
https://github.com/opnsense/docs/commit/39858a27b0ee97ef0d477d4df35b642c29e5c3d9#diff-5d4817cb52f5d4f439d854fc1286ca198cb6018c4c822380e5503250f420644e

What's the reasoning behind this? Please?

[Maurice]

Looking at that commit and going down the rabbit hole, you'll find that it was the result of this bug report:
https://github.com/opnsense/docs/issues/137

Which was the result of this forum thread:
https://forum.opnsense.org/index.php?topic=10180

From what I can see, what was actually wrong with their custom options (and the documentation) is the missing 'server:' line. Which puts 'do-not-query-localhost' outside of the server clause and causes a syntax error. Not having overrides probably did put it inside the server clause by pure chance.

It seems they didn't figure this out. So instead of just adding the 'server:' line to the custom options example in the documentation, this paragraph was added. Which is most likely BS.

Plausible?

Maurice

[Patrick M. Hausen]

Thanks, Maurice! Perfectly reasonable. I could not find anything about this in the Unbound documentation, so I was sceptical from the start. Thanks for reminding me that there are possibly bug tickets linked to commits.