Unable to resolve local IP

Started by Tripple_Delta, July 27, 2023, 03:44:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2023, 03:44:35 PM
Hi all,

Setup:
OPNsense 23.1.11-amd64
FreeBSD 13.1-RELEASE-p8
OpenSSL 1.1.1u 30 May 2023

I setup some DNS records on my registrar pointing to local IP's.
After the latest update from OPNsense it looks like I'm unable to resolve local IP's,

Like this:
$ dig A www.google.com
;; ANSWER SECTION:
www.google.com.      98   IN   A   142.250.179.164

$ dig A some local domain name
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> A
;; global options: +cmd
;; no servers could be reached

$ ping 127.0.0.53
PING 127.0.0.53 (127.0.0.53) 56(84) bytes of data.
64 bytes from 127.0.0.53: icmp_seq=1 ttl=64 time=0.040 ms
64 bytes from 127.0.0.53: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 127.0.0.53: icmp_seq=3 ttl=64 time=0.057 ms

What am I doing wrong?
July 27, 2023, 07:44:30 PM #1
127.0.0.53 is the local DNS cache on your Ubuntu machine. What does your /etc/resolv.conf look like?

Where and how are "some local domain name" configured?
July 27, 2023, 11:36:50 PM #2
/etc/resolv.conf on the firewall?

The local DNS records are configured with the control panel from my registrar. Like firewall, NAS, etc
July 28, 2023, 12:37:02 AM #3
Does "local IPs" mean private IP addresses (RFC1918 / ULAs)? And you are publishing these in public DNS? That won't work because Unbound removes all private IP addresses from answers it gets from public DNS servers.  It's a security feature (rebind protection).
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 28, 2023, 08:00:35 AM #4
Sorry, indeed private addresses. I've been doing it that way for years. Why is this a security risk?

Always willing to learn, what should be best practice?
July 28, 2023, 12:14:11 PM #5
Rebind protection in Unbound has been there for years, too, although some modifications were made from time to time. Not sure why it worked for you in the past.

Regarding the security risk: https://en.wikipedia.org/wiki/DNS_rebinding
(Not the most detailed and up-to-date explanation, but a good start.)

Best practice is to keep the internal DNS zone (something like intranet.example.com) on an internal DNS server, not a public one.
If you can't or don't want to do that for any reason, you can configure exceptions in Unbound which allow private IP addresses in public DNS records for specific domains.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 28, 2023, 12:21:46 PM #6
Thanks.

No idea why it suddenly stopt working. I guess after the latest OPNsense update.
July 28, 2023, 12:36:56 PM #7
Now this is strange.
Even with unbound turned off I can't reach the DNS server to resolve private addresses.
I have to look somewhere else for the cause.
July 28, 2023, 06:11:21 PM #8
Turns out this has nothing to do with OPNsense. Sorry.
Print
Go Up Pages1
User actions