Unable to resolve local IP

[Tripple_Delta]

Hi all,

Setup:
OPNsense 23.1.11-amd64
FreeBSD 13.1-RELEASE-p8
OpenSSL 1.1.1u 30 May 2023

I setup some DNS records on my registrar pointing to local IP's.
After the latest update from OPNsense it looks like I'm unable to resolve local IP's,

Like this:
$ dig A www.google.com
;; ANSWER SECTION:
www.google.com.      98   IN   A   142.250.179.164

$ dig A some local domain name
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out

; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> A
;; global options: +cmd
;; no servers could be reached

$ ping 127.0.0.53
PING 127.0.0.53 (127.0.0.53) 56(84) bytes of data.
64 bytes from 127.0.0.53: icmp_seq=1 ttl=64 time=0.040 ms
64 bytes from 127.0.0.53: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 127.0.0.53: icmp_seq=3 ttl=64 time=0.057 ms

What am I doing wrong?

[CJ]

127.0.0.53 is the local DNS cache on your Ubuntu machine. What does your /etc/resolv.conf look like?

Where and how are "some local domain name" configured?

[Tripple_Delta]

/etc/resolv.conf on the firewall?

The local DNS records are configured with the control panel from my registrar. Like firewall, NAS, etc

[Maurice]

Does "local IPs" mean private IP addresses (RFC1918 / ULAs)? And you are publishing these in public DNS? That won't work because Unbound removes all private IP addresses from answers it gets from public DNS servers.  It's a security feature (rebind protection).

[Tripple_Delta]

Sorry, indeed private addresses. I've been doing it that way for years. Why is this a security risk?

Always willing to learn, what should be best practice?

[Maurice]

Rebind protection in Unbound has been there for years, too, although some modifications were made from time to time. Not sure why it worked for you in the past.

Regarding the security risk: https://en.wikipedia.org/wiki/DNS_rebinding
(Not the most detailed and up-to-date explanation, but a good start.)

Best practice is to keep the internal DNS zone (something like intranet.example.com) on an internal DNS server, not a public one.
If you can't or don't want to do that for any reason, you can configure exceptions in Unbound which allow private IP addresses in public DNS records for specific domains.

[Tripple_Delta]

Thanks.

No idea why it suddenly stopt working. I guess after the latest OPNsense update.

[Tripple_Delta]

Now this is strange.
Even with unbound turned off I can't reach the DNS server to resolve private addresses.
I have to look somewhere else for the cause.

[Tripple_Delta]

Turns out this has nothing to do with OPNsense. Sorry.