[solved] Unbound returns IPs of all interfaces OPNsense

Started by myradon, April 18, 2020, 04:24:15 PM

Previous topic - Next topic
Hi guys,

I moved from pfSense to OPNsense. Was on my list forever and now was the time cause there is a huge bug in pfSense 2.4.5 since several weeks that makes it totally unresponsive. That said;

I have setup Unbound and it works But have a big problem with the returned results for querying OPNsense itself. My system has 4 different subnets. When a client queries FQDN of OPNsense it returns all records of all interfaces. Now first record is other subnet so it doesn't work/ is very slow. When I configure Unbound to only listen on interface the client-computer is one it off course works.

The results;

mercury:~ raymond$ sudo killall -HUP mDNSResponder
mercury:~ raymond$ nslookup opnsense
Server: 192.168.130.129
Address: 192.168.130.129#53
Name: opnsense.myradon.net
Address: 192.168.132.1
Name: opnsense.myradon.net
Address: 192.168.130.129
Name: opnsense.myradon.net
Address: 192.168.133.129
Name: opnsense.myradon.net
Address: 192.168.131.129


How can I configure Unbound it returns only the A-record on the interface query is coming from?

It could Work with a view  that's bound to a subnet via acl.
Here you found an example (the post ist German, but the code should be clear)
https://forum.opnsense.org/index.php?topic=12557.msg57830#msg57830

April 18, 2020, 06:49:02 PM #2 Last Edit: April 18, 2020, 06:52:03 PM by myradon
@stefanpf Thanks a lot! It works great  :)

Maybe for someone else comes in handy; Add to field "Custom options";


#Access control for remote IP Range
access-control-view: 192.168.130.128/25 bridgelan
access-control-view: 192.168.131.128/29 wirelessguest
access-control-view: 192.168.132.1/24 bridgeiot
access-control-view: 192.168.133.128/29 dmz

#View to return for external range only defined ip for firewall, assumed 192.168.100.254 is the IP of opnsense
view:
    name: "bridgelan"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.130.129"
    local-data: "opnsense A 192.168.130.129"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "wirelessguest"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.131.129"
    local-data: "opnsense A 192.168.131.129"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "bridgeiot"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.132.1"
    local-data: "opnsense A 192.168.132.1"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "dmz"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.133.129"
    local-data: "opnsense A 192.168.133.129"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

Quote from: myradon on April 18, 2020, 06:49:02 PM
@stefanpf Thanks a lot! It works great  :)

Maybe for someone else comes in handy; Add to field "Custom options";


#Access control for remote IP Range
access-control-view: 192.168.130.128/25 bridgelan
access-control-view: 192.168.131.128/29 wirelessguest
access-control-view: 192.168.132.1/24 bridgeiot
access-control-view: 192.168.133.128/29 dmz

#View to return for external range only defined ip for firewall, assumed 192.168.100.254 is the IP of opnsense
view:
    name: "bridgelan"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.130.129"
    local-data: "opnsense A 192.168.130.129"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "wirelessguest"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.131.129"
    local-data: "opnsense A 192.168.131.129"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "bridgeiot"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.132.1"
    local-data: "opnsense A 192.168.132.1"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes

view:
    name: "dmz"
    local-zone: "myradon.net" transparent
    local-data: "opnsense.myradon.net A 192.168.133.129"
    local-data: "opnsense A 192.168.133.129"
    #view-first Unbound will try to use the view's local-zone tree, and if there is no match it will search the global tree.
    view-first: yes


Hey, have you found a better option? I was thinking of adding an override to have just 1 IP