Unbound (maybe?) provides wrong ip when asked

[bob9744]

Hi all!

Noticed lately that attempts to resolve the name of my opnsense box take 30 seconds or so, so I thought I'd try pinging the name while letting the browser spin, trying to open the page.

Turns out that, rather than resolving it to 10.0.10.1 (vlan 10, where my pc sits), it somehow resolved to 10.0.40.1 (vlan 40 - dmz), where I disallow access to the web gui. _Eventually_ things must resolve, because navigation succeeds, and I'm in the gui.

Is this an issue because my PC has access to every vlan? `ipconfig` confirms the correct gateway ip (10.0.10.1) - why on earth would unbound return the router's address from a different vlan than the one I participate in?

Thanks!

[bob9744]

One more thing that confuses me: if unbound creates a record for each device that receives an address from DHCP, including records for static DHCP entries, why does it ever forward odd constructs such as "MachineA.example.net.example.net" to my DoT DNS? Shouldn't it stop at "MachineA.example.net", which it has a record for?

[bob9744]

Using DNS Lookup under Interfaces -> Diagnostics, I can lookup names registered during DHCP _without_ those queries being forwarded through DoT. But if I do an nslookup, the queries are forwarded before being resolved - why would that be?

[bob9744]

Nvm - dug around and found how to constrain the answer using access control view.

I am curious tho - isn't this a common scenario, multiple subnets and therefore multiple IPs for the gateway? I know there were whole threads on keeping the unbound gui a bit cleaner by pushing advanced tasks to manually edit conf files, but I wonder if this is something so common that hoisting it into the gui would make sense.

[Patrick M. Hausen]

why does it ever forward odd constructs such as "MachineA.example.net.example.net" to my DoT DNS?

Because some client on your network sends it that question. The recursive nameserver does not add or remove search domains. The resolver libraries on client devices do.

HTH,
Patrick

[bob9744]

Because some client on your network sends it that question. The recursive nameserver does not add or remove search domains. The resolver libraries on client devices do.

HTH,
Patrick

Ah, that makes sense - Win 11's doing it. Oh well, I guess it's fine - not like it's leaking anything of value - just annoying... thanks!

[meyergru]

I tend to use different subdomains for my vlans just because of this. And I priorize them by handing out an ordered list of domain suffixes. That way, I can still retain a short name for a machine while allowing it to have different names/IPs in subnets (like opnsense itself).

The other option is to disable DNS entries for DHCP leases and controlling everything tightly. It is one of the reasons that I prefer dnsmasq over unbound, just a little more control over some behaviour.

[nununo]

Nvm - dug around and found how to constrain the answer using access control view.

Hello bob9744, I am having the exact same problem. Can you please elaborate on how exactly did you manage to solve this? Did you manage to do it through the GUI? I was going to implement a solution proposed here: https://forum.opnsense.org/index.php?topic=16833.0, which relied on field "custom options" to define access control views but just found out that it was removed from the GUI  so now I'm at a loss.

Thanks in avance.