What's the correct way to set up local zone reverse lookup with Unbound?

[Taomyn]

My current network is set up that I have internal servers providing DHCP and DNS services to my LAN, that then forward requests to my firewall via my Pi-Hole. This is all working really well except for one minor thing: the firewall cannot reverse lookup up any internal machines so things like the firewall log in the web console only ever shows the IP address. Internal domain lookups are fine as I have got that set up in the overrides section of Unbound, but the reverse ones are not.


What's the correct way in Unbound to set up the reverse lookup for my internal subnets? I can see the "Local Zone Type" is set to "Transparent", but I cannot fathom what to change it to and where configure the forwarder.

[mayo]

I'm in the same situation!
Opnsense acts as DHCP and DNS.
Configured following this guide: https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/


Also I have a Linksys Mesh router in bridge mode connected to opnsense. It generates a lot of PTR request that is showing like xx.xx.xx.xx.in-addr.arpa in my pi-hole web interface.

[mayo]

Hi Taomyn,
did you resolved this iussue? I didn't found anything about it... Thank you in advance!

My current network is set up that I have internal servers providing DHCP and DNS services to my LAN, that then forward requests to my firewall via my Pi-Hole. This is all working really well except for one minor thing: the firewall cannot reverse lookup up any internal machines so things like the firewall log in the web console only ever shows the IP address. Internal domain lookups are fine as I have got that set up in the overrides section of Unbound, but the reverse ones are not.


What's the correct way in Unbound to set up the reverse lookup for my internal subnets? I can see the "Local Zone Type" is set to "Transparent", but I cannot fathom what to change it to and where configure the forwarder.

[Taomyn]

Hi Taomyn,
did you resolved this iussue? I didn't found anything about it... Thank you in advance!

No, no-one else replied so still waiting on an answer

[allebone]

I havent tested this but I believe you would go to overrides and then add a domain override.

The domain to add would be something like:
1.168.192.in-addr.arpa

(this would specify 192.168.1.x)

and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).

I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.

[mayo]

Thank you allebone.

I havent tested this but I believe you would go to overrides and then add a domain override.

The domain to add would be something like:
1.168.192.in-addr.arpa

(this would specify 192.168.1.x)

and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).

I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.

I have to setup the override in OPNsense, right? And nothing in pi-hole local DNS section?
Thank you!

[Taomyn]

I'm afraid it doesn't seem to work, I still only get the IP - I tried restarting the Unbound service and it still did the same.

I havent tested this but I believe you would go to overrides and then add a domain override.

The domain to add would be something like:
1.168.192.in-addr.arpa

(this would specify 192.168.1.x)

and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).

I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.

[mayo]

I have also tried, but not working. Still showing (reverse) IPs and a lot of PTR requests.

[allebone]

Please can you show me how you have tested that your dns server (pihole?) you are using in the override setting of unbound is able to reply with a ptr record? Eg: a screenshot from a client using nslookup against the dns server where the ptr records reside showing it give an authoritative answer to a requested ptr record.

[allebone]

I have also tried, but not working. Still showing (reverse) IPs and a lot of PTR requests.

Are you saying you now see ptr requests from inbound now, on your dns server (pihole).

If so then unbound was correctly configured. If pihole does not reply with the correct reverse record answer then you must explain why pihole is unable to give the answer to the dns query when requested. This is similar to my post above asking that you check pihole can actually do this.

[allebone]

Hi,

I did not hear back regarding this. Please can you do the steps like the below screenshot against the dns server that you expect the ptr records to be held and let me know.

Example commands to type highlighted in yellow, expected answer example in red.

Kind regards,
P

[mayo]

Thank you allebone, I've made nslookup as you told and I have same results as yours with my IPs.
DNS is my pi-hole and it resolves hostnames correctly. (And currently I have no overrides configured...)

[allebone]

Thank you.

I setup a windows dns server and unbound to test on opnsense. I also had an issue until I found this option here :

Once I set to be able to forward queries out of the lan interface my opnsense running unbound could resolve ptr records for me by forwarding the query to the windows dns server and querying the ptr records.

Please double check your config as I believe I have confirmed it can work.

Pete

[mayo]

Perfect! last question: do I have to set Overrides or not with this configuration enabled?

Thank you.

I setup a windows dns server and unbound to test on opnsense. I also had an issue until I found this option here :

Once I set to be able to forward queries out of the lan interface my opnsense running unbound could resolve ptr records for me by forwarding the query to the windows dns server and querying the ptr records.

Please double check your config as I believe I have confirmed it can work.

Pete

[allebone]

Yes the domain override is telling the unbound server where to go and query for that specific domain, in this case the domain is a ptr reverse lookup domain, so without the override unbound will simply query whatever is configured in your forwarders section or use root hints if you query that way, both which cannot provide an authoritative answer to your query of an internal record.

Edit : if you set your forwarder or dns server for opnsense to be pihole then it would work without an override but I would advise against such a setup as the firewall should be able to resolve dns without pihole working to ensure services that rely on dns (sensei etc) to function in the event of an outage with pihole or error and also because blocking these services from accessing domains by way of a filter may have undesirable effects. You should trust the firewall to not need filtering or alternatively use a product you do trust. The firewall should be able to sort itself out essentially without relying on a piece of internal equipment to be working perfectly.

Just fyi on my network I have opnsense unbound set to use 1.1.1.1 as a forwarder and an internal DNS server that client nodes use and provides dns filtering - that dns server gets its answers from unbound running on the opnsense. On opnsense I redirect any queries on port 53 using outbound nat to the internal dns server except for the source ip of the firewall and the ip of the internal dns server, so their queries do not get looped back. This means anyone changing their dns server to either the opnsense firewall or any external IP are silently having their requests directed back to the internal dns filter server. An alert is then flagged on my opnsense. Currently I have found it n my network a roku tv and an ip camera that had hardcoded dns servers trigger this alert. I also block outbound traffic to known doh servers. Currently the only app that has triggered an alert to try bypass dns filtering by querying hardcoded external doh servers is the app ‘tiktok’ which I then subsequently blocked all of bytedances servers on the dns level so the apps do not function.

Final thing I will say is that I dont agree with the general consensus that using 1.1.1 or some other public dns is a privacy concern if your alternative is to use toot hints with unbound. Or what I mean is using root hints does not solve the privacy concern imo. If you obscure your DNS and then turn right around to your ISP and say ‘please connect me to this IP’ then you have not solved the privacy issue and have simple made your dns queries take longer. For this reason I dont use root hints and use 1.1.1.1 which is very fast.

To obscure your traffic a vpn provider who does not log would be required but I dont know how to ensure that a vpn provider is actually doing what they say. For this reason I believe its better to simply know all you do on the internet is logged and there is no real privacy unless you are illegally compromising servers on the internet and proxying your traffic through them and clearing all the logs automatically yourself and somehow making sure you dint get caught. I dont see any solution as really viable in the real world so it seems better to me to simply understand that public internet = public space. People are allowed to look at what you do in public when you walk to the shops. Same on the internet.