Unbound problem

Started by ivarh, February 15, 2025, 02:17:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 15, 2025, 02:17:04 PM
I have a webserver on my lan that i use a host override in unbound to resolve to the internal ip address from my lan. the dns zone has the hostname pointing to my public ip with a nat forward. This works well. However it appears that when you use a host override it masks any other dns records for that hostname. I use DNSSEC to sign my zone and this allows me to include SSHFP records for my hosts that run SSH servers. It contains the host ssh key and this allows ssh to skip the question about saving the ssh host key on the first attempt at connecting to the ssh server. But when I use the host override the SSHFP dns records for the host is not passed through unbound

example:
Code Select
ivar@Neptun ~ % dig sshfp webby.webhotel.au

; <<>> DiG 9.10.6 <<>> sshfp webby.webhotel.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;webby.webhotel.au. IN SSHFP

;; Query time: 6 msec
;; SERVER: 2403:5806:f52c:1::1#53(2403:5806:f52c:1::1)
;; WHEN: Sun Feb 16 00:12:24 AEDT 2025
;; MSG SIZE  rcvd: 46

ivar@Neptun ~ % dig @1.1.1.1 sshfp webby.webhotel.au

; <<>> DiG 9.10.6 <<>> @1.1.1.1 sshfp webby.webhotel.au
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2693
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;webby.webhotel.au. IN SSHFP

;; ANSWER SECTION:
webby.webhotel.au. 900 IN SSHFP 1 1 534198865C1722360C2DED878B9F0E00CBE27243
webby.webhotel.au. 900 IN SSHFP 1 2 DEB6BB02DDA46CC09D4478896BF2E7E72AFC8454D905764B8520A629 A0BC4382
webby.webhotel.au. 900 IN SSHFP 3 1 2BE2EFA222E832FF12B7DB368C7DFE350A541AF6
webby.webhotel.au. 900 IN SSHFP 3 2 990DD9B3CB4D903F71EB0ECD7717C5AB5C5AC5DE8A16709DC1C21E8C A253734E
webby.webhotel.au. 900 IN SSHFP 4 1 7018BADFAD65C27C4EE0822DA2D8F559737BAB23
webby.webhotel.au. 900 IN SSHFP 4 2 12844754B9CB4E8363AEAA083C119CE76B2CB56DB145764318B14BE9 0DAF7EC5

;; Query time: 54 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Feb 16 00:12:35 AEDT 2025
;; MSG SIZE  rcvd: 286

Is there a way to configure unbound to only change the DNS records i specify in the overrides section (A and AAAA) and forward a request for any other dns records for the host to the normal external dns servers?

/ivar
February 15, 2025, 02:22:33 PM #1
Try changing [Services > Unbound DNS > General > Local Zone Type] to "typetransparent" (or maybe experiment with some of the other options)...
February 17, 2025, 12:24:18 PM #2
Sadly none of those (different) options allowed other dns records than A and AAAA for a override host to bleed through :(

/var
February 17, 2025, 01:48:27 PM #3
Ahh, right, that'd only work if "webhotel.au" is your local domain (System > Settings > General), which it probably isn't. I think the only way to make it work would be to create a file named (something like) /usr/local/etc/unbound.opnsense.d/custom_overrides.conf, containing (something like):

Code Select
local-zone: "webhotel.au" typetransparent
local-data: "webby.webhotel.au A 192.168.1.100"

(then restart the Unbound service)
Print
Go Up Pages1
User actions