SOLVED: Unbound: Using TLD test. internally and Unbound as caching DNS

Started by rainerle, April 12, 2024, 05:48:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 12, 2024, 05:48:38 PM Last Edit: April 15, 2024, 11:39:51 PM by rainerle
Hi,
we use the .test domain internally configured on four Bind DNS servers.

A nslookup using one of those is successful:
Code Select

PS C:\Users\admin> nslookup m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>


The OPNsense unbound uses all four Bind servers as forward servers, but the nslookup is not successful
Code Select

PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  UnKnown
Address:  10.20.30.1

*** m.s.test wurde von UnKnown nicht gefunden: Non-existent domain.
PS C:\Users\admin>


Switching back to DNSmasq it just works:
Code Select

PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  private-access.muc-fw01.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>


How can I enable the .test domain for unbound?

Already tried with "Private Domains" and  "Insecure Domains" on the Advanced tab - did not help...

Thanks
Rainerle

April 12, 2024, 07:28:05 PM #1
You should use the "Unbound DNS" :: "Query Forwarding" menu for that. If you run BIND on your OPNsense host itself _with_ Unbound, you have to run BIND on an alternative port, not 53.

Works like a charm.
April 13, 2024, 09:51:42 PM #2 Last Edit: April 13, 2024, 10:11:19 PM by rainerle
So I changed the config from attachment one to attachment two and started the unbound on port 54 to keep the DNSmasq running while testing...

And indeed:
Code Select

PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=54 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>


...it just works!!! NOT!!!

See next post...
April 13, 2024, 10:10:14 PM #3 Last Edit: April 13, 2024, 10:11:46 PM by rainerle
So, no, it does not work.

Windows nslookup does not know how to use a different port than 53...

Using Linux it shows...
Code Select

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.254
Server:         10.20.30.254
Address:        10.20.30.254#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=54 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#54

** server can't find m.s.test: NXDOMAIN

admin@linux:~$


...a NXDOMAIN for unbound where on bind9 and dnsmasq on the same host I get the expected reply.
April 14, 2024, 12:26:56 AM #4 Last Edit: April 14, 2024, 01:27:11 AM by netnut
If the "s.test" domain is a _valid_ authoritative zone on your configured forwarders there's no need to specify them separately in the "Query Forwarding" section as I suggested.
Unbound is very strict (for obvious reasons), you might want to check the _correct_ config of that zone as it also cname-ing to an active public contoso.com domain.

Tools like dnstracer, dnswalk or dnsrecon might help to get a view how things are resolved and delegated in your case. Might be that Unbound is blocking .test tld anyhow, see the OPNsense docs how to override the Unbound config with templates.
April 14, 2024, 10:10:17 AM #5
In case you haven't heard of Contoso yet...
https://de.wikipedia.org/wiki/Contoso
I use that to replace our own organisations URLs...

The problem is surely the test tld and the handling of unbound of it. But I doubt that OPNsense will allow free text user customisations of it...
April 14, 2024, 06:50:38 PM #6 Last Edit: April 14, 2024, 06:52:56 PM by netnut
Quote from: rainerle on April 14, 2024, 10:10:17 AM
The problem is surely the test tld and the handling of unbound of it. But I doubt that OPNsense will allow free text user customisations of it...

You should use the template system for that: https://docs.opnsense.org/manual/unbound.html#advanced-configurations

Do some tweaking with the config entry:

Code Select
# local-zone: "test." nodefault

https://datatracker.ietf.org/doc/html/rfc6761.html
April 15, 2024, 05:24:03 PM #7
What the heck...
...first time I see the template system...
Instead of Custom options in the gui lets complicate the process and do not allow syncing to the HA partner automatically...

Looks like a step down to me...
April 15, 2024, 06:09:18 PM #8
And the template system looks broken as well...

Code Select

root@opnsense02:~ # configctl template reload custom/Unbound
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense02:~ # configctl unbound restart
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
cat: /var/unbound/etc/custom_server_options.conf: No such file or directory
root@opnsense02:~ #


A restart of Unbound just deletes the custom config file...
April 15, 2024, 06:13:14 PM #9
But it works on the primary HA partner...

Code Select

root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ #


Eieieiei, I am starting to loose my trust...
April 15, 2024, 06:13:18 PM #10
The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 15, 2024, 06:16:28 PM #11
Quote from: Patrick M. Hausen on April 15, 2024, 06:13:18 PM
The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.

I very much doubt that. Have a look at the generated config in use by unbound:
Code Select

root@opnsense01:~ # ps aux | grep unbound
unbound 39061    0.0  1.0 356572 163636  -  Ss   18:11         0:02.11 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    38534    0.0  0.0  12748   2364  1  S+   18:14         0:00.00 grep unbound
root@opnsense01:~ # cat /var/unbound/unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python validator iterator"
num-threads: 16
msg-cache-slabs: 32
rrset-cache-slabs: 32
infra-cache-slabs: 32
key-cache-slabs: 32
auto-trust-anchor-file: /var/unbound/root.key



# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf

# Forwarding
forward-zone:
    name: "."
        forward-addr: 10.20.30.254
        forward-addr: 10.20.30.22
        forward-addr: 10.20.50.5
        forward-addr: 10.20.50.6


python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem
root@opnsense01:~ #
April 15, 2024, 06:20:59 PM #12
The configctl system does that - Unbound doesn't know and doesn't care. Again, it's documented here:

https://docs.opnsense.org/manual/unbound.html#advanced-configurations
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 15, 2024, 06:49:56 PM #13
Ok, I am sorry, you are right.

Code Select

root@opnsense01:~ # cat /usr/local/opnsense/service/templates/custom/Unbound/+TARGETS
custom_server_options.conf:/usr/local/etc/unbound.opnsense.d/custom_server_options.conf
root@opnsense01:~ # rm /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /usr/local/etc/unbound.opnsense.d/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound check
no errors in /var/unbound/unbound.conf
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # nslookup m.s.test 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

root@opnsense01:~ #
root@opnsense01:~ # ls -al /var/unbound/etc/custom_server_options.conf
-rw-r-----  1 unbound  unbound  100 Apr 15 18:40 /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # scp -r /usr/local/opnsense/service/templates/custom opnsense02:/usr/local/opnsense/service/templates/
custom_server_options.conf                                                                                                                                                                                                                            100%  101   316.8KB/s   00:00
+TARGETS                                                                                                                                                                                                                                              100%   88   299.2KB/s   00:00
root@opnsense01:~ #


And it now works on both nodes. I believe I first started using the directory in the +TARGETS file from the configuration - so on the primary it was already correct and in the proper place. That did not happen on the secondary - so there it was missing and then it failed after a proper restart...
Print
Go Up Pages1
User actions