Unbound fails to start when loading custom access control views

bob9744 · July 31, 2023, 06:40:04 PM

Hello!

Unbound now fails to start when trying to load custom access control views, something that worked well up to this point.

Here's the content from the conf file that I drop in /usr/local/etc/unbound.opnsense.d, formatting as outlined in the unbound docs:

Code Select

access-control-view: 10.0.10.0/24 trusted
access-control-view: 10.0.20.0/24 kids
access-control-view: 10.0.30.0/24 iot
access-control-view: 10.0.40.0/24 dmz
access-control-view: 10.0.50.0/24 cameras

view:
    name: "trusted"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.10.1"
    local-data: "opnsense A 10.0.10.1"
    view-first: yes

view:
    name: "kids"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.20.1"
    local-data: "opnsense A 10.0.20.1"
    view-first: yes

view:
    name: "iot"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.30.1"
    local-data: "opnsense A 10.0.30.1"
    local-zone: "ntp.org" redirect
    local-data: "ntp.org A 10.0.30.1"
    view-first: yes

view:
    name: "dmz"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.40.1"
    local-data: "opnsense A 10.0.40.1"
    view-first: yes

view:
    name: "cameras"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.50.1"
    local-data: "opnsense A 10.0.50.1"
    local-zone: "ntp.org" redirect
    local-data: "ntp.org A 10.0.50.1"
    view-first: yes

Any ideas of why this is failing now would be greatly appreciated!

Thanks!

aptalca · August 05, 2023, 03:21:59 AM

I also experienced a similar issue.

Prior to 23.7, I was using a custom unbound conf with an access-control-view defined.

Once I upgraded to 23.7, unbound would no longer start. Removing the access-control-view allows unbound to start. No idea what's causing it.

Here's my redacted sample conf:

Code Select


server:

access-control-view: 192.168.2.0/24 "vlan10"

local-zone: "domain.url" redirect
local-data: "domain.url 86400 IN A 192.168.1.1"

view:
name: "vlan10"
local-zone: "localdomain" deny

I'm trying to prevent local dns lookups from vlan10

newsense · August 05, 2023, 06:46:12 AM

Quote from: bob9744 on July 31, 2023, 06:40:04 PM
Hello!

Unbound now fails to start when trying to load custom access control views, something that worked well up to this point.

Here's the content from the conf file that I drop in /usr/local/etc/unbound.opnsense.d, formatting as outlined in the unbound docs:

Code Select Expand
access-control-view: 10.0.10.0/24 trusted access-control-view: 10.0.20.0/24 kids access-control-view: 10.0.30.0/24 iot access-control-view: 10.0.40.0/24 dmz access-control-view: 10.0.50.0/24 cameras view: name: "trusted" local-zone: "beaker.ddnsgeek.com" transparent local-data: "opnsense.beaker.ddnsgeek.com A 10.0.10.1" local-data: "opnsense A 10.0.10.1" view-first: yes view: name: "kids" local-zone: "beaker.ddnsgeek.com" transparent local-data: "opnsense.beaker.ddnsgeek.com A 10.0.20.1" local-data: "opnsense A 10.0.20.1" view-first: yes view: name: "iot" local-zone: "beaker.ddnsgeek.com" transparent local-data: "opnsense.beaker.ddnsgeek.com A 10.0.30.1" local-data: "opnsense A 10.0.30.1" local-zone: "ntp.org" redirect local-data: "ntp.org A 10.0.30.1" view-first: yes view: name: "dmz" local-zone: "beaker.ddnsgeek.com" transparent local-data: "opnsense.beaker.ddnsgeek.com A 10.0.40.1" local-data: "opnsense A 10.0.40.1" view-first: yes view: name: "cameras" local-zone: "beaker.ddnsgeek.com" transparent local-data: "opnsense.beaker.ddnsgeek.com A 10.0.50.1" local-data: "opnsense A 10.0.50.1" local-zone: "ntp.org" redirect local-data: "ntp.org A 10.0.50.1" view-first: yes

Any ideas of why this is failing now would be greatly appreciated!

Thanks!

Not sure why you need custom views here, a simple port forward rule would do just fine:

Select all (V)LANs in scope, Proto UDP, Source Any Destination Any DPort 123 Redirect 127.0.0.1 Port 123

You can then clone the rule and change NTP to DNS, adjust the proto to TCP/UDP

bob9744 · August 06, 2023, 03:06:42 AM

Quote from: newsense on August 05, 2023, 06:46:12 AM

Not sure why you need custom views here, a simple port forward rule would do just fine:

Select all (V)LANs in scope, Proto UDP, Source Any Destination Any DPort 123 Redirect 127.0.0.1 Port 123

You can then clone the rule and change NTP to DNS, adjust the proto to TCP/UDP

Thanks for the response! Maybe I misunderstand your answer - primarily what I was trying to do was ensure that querying either 'opnsense' or its FQDN would resolve to the IP that matches the vlan the query was issued from. You're right, though, about the ntp entries - ironically, I already have port forwards for those in place - I must've forgotten to go back and prune them from the views file...

For now, since I really only access the router using it's 'short' name from my pc, I dropped an entry in hosts that matches the vlan my pc's on - that's good enough for now.

aptalca · August 08, 2023, 08:15:08 PM

Quote from: aptalca on August 05, 2023, 03:21:59 AM
I also experienced a similar issue.

Prior to 23.7, I was using a custom unbound conf with an access-control-view defined.

Once I upgraded to 23.7, unbound would no longer start. Removing the access-control-view allows unbound to start. No idea what's causing it.

Here's my redacted sample conf:

Code Select Expand
server: access-control-view: 192.168.2.0/24 "vlan10" local-zone: "domain.url" redirect local-data: "domain.url 86400 IN A 192.168.1.1" view: name: "vlan10" local-zone: "localdomain" deny

I'm trying to prevent local dns lookups from vlan10

It turns out my issue was a formatting issue. I got rid of the quotes around the view name and fixed the indents and now it starts with the following custom config. I guess the older version of unbound tolerated formatting issues but the newer version doesn't.

Code Select


server:

access-control-view: 192.168.2.0/24 vlan10

local-zone: "domain.url" redirect
local-data: "domain.url 86400 IN A 192.168.1.1"

view:
    name: vlan10
    local-zone: "localdomain" deny

bob9744 · August 09, 2023, 10:17:05 PM

QuoteIt turns out my issue was a formatting issue. I got rid of the quotes around the view name and fixed the indents and now it starts with the following custom config. I guess the older version of unbound tolerated formatting issues but the newer version doesn't.

Did you indent using spaces or tabs? I tried both, and unbound still failed to start for me...

aptalca · August 11, 2023, 04:03:06 AM

I did 4 spaces. I'm not sure whether it was the indents or the removal of the quotes around the view name that fixed the issue as I did both at once and it worked.

Unbound fails to start when loading custom access control views

bob9744

July 31, 2023, 06:40:04 PM Last Edit: July 31, 2023, 07:11:33 PM by bob9744

aptalca

August 05, 2023, 03:21:59 AM #1

newsense

August 05, 2023, 06:46:12 AM #2

bob9744

August 06, 2023, 03:06:42 AM #3

aptalca

August 08, 2023, 08:15:08 PM #4

bob9744

August 09, 2023, 10:17:05 PM #5

aptalca

August 11, 2023, 04:03:06 AM #6