Archive > 19.1 Legacy Series

wondering about unbound acls (ipv6 query refused after prefix change)

(1/1)

bootstrap:
Hi there!

I'm using OPNsense for a few weeks now (currently OPNsense 19.1.9-amd64 in kvm) and so far I'm quite happy with the results, so thank you for that :)

While testing (and hopefully improving) my setup, I noticed that I was having recurring problems with unbound, which always worked on restart, but after a few hours started to refuse queries using ipv6.
It seems that the access-control settings that are built on startup don't work if one is using dynamicly changing ipv6 prefixes, since the access-control get defined once, at startup.

While I could not find a way to easily refresh the access controls without restarting unbound, I wondered why I would want acls in the first place.
There may be setups that require those, but in my case, I'm using a few vlans behind my internet connection, and each and every host behind my firewall is using unbound for dns anyway.
Also: if I didn't want a subnet or client to connect to unbound, I could just modify the firewall rules accordingly.

I tried using access-control statements in the config override field, but that either gets ignored, or overwritten, so it did not do anything for me.
So here's what I did to circumvent my problem: I added ::0/0 to unbound.inc, so that on startup, a global allow for everything ipv6 will be put in /var/unbound/access_lists.conf.
This is by no means an elegant solution and it may break when updating, but it works for me.

Back to my question: why would I want acls in the first place?
For me, the answer seems to be that I don't. Can someone tell me why I should bother with acls?


If a developer reads this: I can supply more details regarding my ipv6 setup if anyone is interested.
Long story short: new prefix every few hours makes it necessary to track those changes in unbound or things break. There seems to be a mechanism in place top follow dhcpv6 leases, which I'm not using.
I'm using the track interface option to setup multiple vlans behind opnsense, which is working as expected and correctly updating addresses. Unbound just doesn't know about the changes and I'm proposing to ignore that by giving the option for a "free for all" default acl.
I'm aware that "only open if you need it" is the generally better idea when thinking about a security product, but as I said above: there's the firewall ruleset that can be used to achieve that as well.

Any comments?

Thanks and have a nice day :)

norg:
I just stumbled upon the same issue, I was wondering why DNS was so slow and with wireshark I saw refused in the reply. Setting my local IPv6 network (which is static btw) in /var/unbound/access_lists.conf fixed it.

Navigation

[0] Message Index