Unbound NS/SOA records for private domains

[eugenmayer]

I am using a public TLD for which i use the private-domain flag in unbound and also a domain override.

So lets assume it company.com - i use the namespace <namspace>.company.com as a internal domain, so internal.company.com. (Domain override in unbound).

The problem now is, that i am using a tool form ACME DNS-01 challenges which will do a dns lookup on the default DNS server ( OPNsense in this question ) searching for a NS record ( primary nameserver for company.com ) like

Code Select Expand

dig mysub1.internal.company.com NS

during the challenge. If it finds a NS record, it will poll the primary server for a TXT record created durin DNS-01- if it does not find a NS server it will fail.

Apperently with OPNsense + unbound + domain override that NS responses are all empty. I ask myself how could i potentially fix that.

So

Code Select Expand

dig mysub1.internal.company.com NS

and

Code Select Expand

dig internal.company.com NS are emt

are empty, since the domain override is on internal.company.com

Code Select Expand

dig company.com NS

will return the problem primary NS (public server)

Any hints on how to solve this?

[fabian]

NS records can be created in an advanced configuration. The configuration like looks like the one generated here in the code:
https://github.com/opnsense/core/pull/2097/files#diff-a89985242e1eea6a91d3e103e3353d5cR594

[eugenmayer]

thank you @fabian. Not sure what you refer to in the commit .. those things? https://github.com/opnsense/core/pull/2097/files#diff-a89985242e1eea6a91d3e103e3353d5cR584 .. Thanks

[eugenmayer]

for anybody running into that, use "typetransparent" instead of "transparent" in unbound

[random1104]

Sorry for the necroposting but feels relevant to the original quest, is this possible today?. I need SOA/NS records for the domain managed by the firewall, it's basically to emulate a "well behaved" authoritative DNS?

[random1104]

for the record, this is the way: https://docs.opnsense.org/manual/unbound.html#advanced-configurations

If running CARP, configuration should be done on both nodes.

[kd.gundermann]

I am having the same problem too, but neither switching to "typetransparent" in Unbound -> General
nor creating a Template with

Code Select Expand


server:
  private-domain: intern.mydomain.de
  private-domain: video.mydomain.de

allowes me to resolve SOA/NS records.

Reading the unbound docs:

private-domain: <domain name> Allow this domain, and all its subdomains to contain private addresses

I don't understand how this would enable/create SOA/NS records.

Am I missing something? How could I create SOA/NS records ?

[Maurice]

You have to create local-zone and local-data entries (see the unbound.conf man page). But please remember:

4. Non-Goals

• An authoritative name server
• Too many Features

https://www.nlnetlabs.nl/documentation/unbound/requirements/

Cheers
Maurice

[kd.gundermann]

Hi Maurice,

4. Non-Goals

• An authoritative name server

so what would you recommend ?? Installing os-bind as an authoritative name server on opnsense?
Do you know of any documentation how to configure bind together with unbound in OPNsense ?

Thank you very much
Klaus

[Maurice]

@kd.gundermann, depends on your use case. If you want an authoritative name server running on OPNsense itself, the BIND plugin is currently the go-to option. Or you run a name server on a separate machine (which is what I do).

There is some info about the BIND plugin in the official OPNsense docs, otherwise just search the forum.

Cheers
Maurice