What's the correct way to set up local zone reverse lookup with Unbound?

[mayo]

Very interesting! I will study how to do this because I'm not so expert... Thank you so much for your help both in configuring and understanding how it works! I hope to make it as better I can.

Just fyi on my network I have opnsense unbound set to use 1.1.1.1 as a forwarder and an internal DNS server that client nodes use and provides dns filtering - that dns server gets its answers from unbound running on the opnsense. On opnsense I redirect any queries on port 53 using outbound nat to the internal dns server except for the source ip of the firewall and the ip of the internal dns server, so their queries do not get looped back. This means anyone changing their dns server to either the opnsense firewall or any external IP are silently having their requests directed back to the internal dns filter server. An alert is then flagged on my opnsense. Currently I have found it n my network a roku tv and an ip camera that had hardcoded dns servers trigger this alert. I also block outbound traffic to known doh servers. Currently the only app that has triggered an alert to try bypass dns filtering by querying hardcoded external doh servers is the app ‘tiktok’ which I then subsequently blocked all of bytedances servers on the dns level so the apps do not function.

[allebone]

Yup good luck thats the best way to learn, slowly add more and more as you find a need to do so and remove things that you thought you needed but found that actually you did not when experimenting on your home network

[Taomyn]

It still doesn't work for me. I did think it could be the custom options I have set in Unbound to direct external lookups to DNSCrypt-Proxy, but it never receives them and even when I add the overrides to it as well it doesn't work.

[allebone]

Please post a screenshot of the overrides. It is working for me. I assume 192.168.1.1 is the opnsense.

[Taomyn]

As requested

[allebone]

I agree the .11 override looks correct. Would you happen to have any rule on the firewall that could interfere or prohibit 192.168.1.1 from reaching the dns server you have configured in overrides? EG: a nat redirect rule on port 53 to block anything not querying your pihole etc? Also is the pihole the authoritative server for the ptr records or does it in turn forward on the requests somewhere else (the dhcp server?) to get the answers? If it does forward please use the override section DNS server to be the dns server creating the ptr records (eg if 192.168.1.11 forwards a ptr request to 192.168.1.2 please use 192.168.1.2 in override).

[allebone]

reason I am asking is I saw on a forum there is an option in pihole for "Never forward reverse lookups for private IP ranges". Im not clear what this option does, but if Pihole is not authoritative then it wont forward... I think? Please ensure the DNS server you set in overrides is the authoritative one, not an intermediate eg: pihole if it is not creating the ptr records.

[Taomyn]

I do have a rule but it's set to allow the IPs in the second screen shot, but as you can see from the first one I can perform lookups from the firewall to one of the DNS servers.


The two IPs 192.168.1.11 and 192.168.1.12 are the DNS servers on the two Windows domain controllers so Pi-Hole has nothing to do with the issue, and yes both servers are authoritative for my domain of course.

[allebone]

Hmm I am struggling to think of a reason it does not work for you.

On the windows DNS server .11 I am assuming that under 'reverse lookup zones' there exists a domain 1.168.192.in-addr.arpa and that in this zone various records you query exist as either static or dynamic addresses based on how they were registered.

I must ask you to look into this further. The response you posted for one of the ptr records is not what I expect.

Response you posted: 192.168.1.83 ----> Google-Home-Mini.

Response expected on a domain:

192.168.1.83 ----->Google-Home-Mini.MyCorporation.Com

Why does the windows DNS server not auto register the ptr record correctly on behalf of your clients joined to the domain? Alternatively can you change the ptr record for the Google home mini device to be static with the domain included? I have checked my DNS zone and the domain part is included on the records either automatically, or statically by my own configuration.

Also is root@bart the opnsense server? I am not clear as I do not know your network.

[Taomyn]

You will not see my full domain as I don't want published publicly on this forum, but I can assure you the full domain is being reported back on each test. I thought this time not to pixelize the whole domain to make it clearer it was being redacted.


And yes root@bart is my OpnSense firewall, it's the command-shell prompt. It's a dedicated physical machine.

[allebone]

I understand, no problem. Please find attached my config for unbound to compare to yours. Also a test showing it works.

Can you post if possible your unbound.conf so I can review for differences? My network is 192.168.2.0/24 and I query from a machine with an ip of 192.168.2.22 to 192.168.2.2 (Ip of opnsense with unbound configured).

Pete

[allebone]

Im just going to get some lunch so wont be able to reply for an hour. Hope thats ok

[Taomyn]

No worries, it's 19:30 here and doing some remote working before I go to sleep.

[allebone]

What happened did you compare the configs?

[allebone]

Im so sad we never found out what happened