limit dns request to specific resource record

[superfox]

Hi there

using the on-board tools of opnsense - is it possible to limit a hosts dns request to one specific resource record?

For a network(interface), i can limit the access to unbound to one host, using a firewall rule. Now i want to limit the dns request of this host to one specific resource record,
so that this host is only able to resolve, for example "server.domain.test" to "172.17.17.1", and not anything else.

I think i have to use advanced plugins for this task, but i wanted to ask you guys first :-)

[PacketChomper]

for example "server.domain.test" to "172.17.17.1", and not anything else.

Do you mean constrain the request or the answer? Sounds like you mean the answer coming back.

If you know what the answer is going to be (say it's always 172.17.17.1) then you can over-ride the host/domain with a local instance of unbound.

But if you want to change the answer by, e.g., removing additional A RRs or removing all AAAA RRs, then that's not possible with firewall rules as you need to modify the DNS packet by, amongst other things, changing the "answer count" and shuffling up any OPT RRs that may be at the end of the response.

In short, you'll probably have to create/find a plugin which re-writes the DNS answer to satisfy this requirement.

[superfox]

If you know what the answer is going to be (say it's always 172.17.17.1) then you can over-ride the host/domain with a local instance of unbound.

I already did this and added two override entries. Thanks!

Do you mean constrain the request or the answer? Sounds like you mean the answer coming back.

I want to restrict the clients request, so that the client can not request any hostnames (e.g. from the internet) but _only_ the overrides.

[zyos]

If you only want one host to resolve one particular record would you not be better off doing something with that hosts host file and simply tell that host what that domain resolves to? Seems like a lot of extra trouble to go to getting the firewall involved at if I understand your use case correctly. If you think the IP might change more often a little bash script on another machine that can resolve all host name could make the update every 5 minutes or something if you'd with right?

[superfox]

If you only want one host to resolve one particular record would you not be better off doing something with that hosts host file and simply tell that host what that domain resolves to? Seems like a lot of extra trouble to go to getting the firewall involved at if I understand your use case correctly. If you think the IP might change more often a little bash script on another machine that can resolve all host name could make the update every 5 minutes or something if you'd with right?

Good point! I have to think about this and speak to communication partner. Thanks!

I guess there is no other way without actively "filtering" dns request traffic. Then your idea is the easier way.