Unbound DNS Enable Forwarding Mode does not work as expected

[gdur]

I've set-up Unbound DNS but "Enable Forwarding Mode" does not do what may be expected by following the official documentation/instructions;
In System->Settings->General I've defined my local DNS server.
DHCP settings for network (OPT1) I'm connected to I left DNS server blank. PC connected to this network is gets OPT1 address as DNS server from DHCP which is right as it should be the firewall localhost to connect to Unbound DNS.
With these settings the Unbound DNS blacklist works as should. Also public URL's are resolved.
The problem however is that my local addresses are not resolved telling me that Unbound DNS does NOT forward requests to my local DNS server but is using an outside DNS server to resolve.
What do I do wrong???
Now I've configured the route to take the other way around. Having DHCP pointing to my Bind DNS server and configured it to forward to Unbound and than it works(???). That doesn't make (OPN)sense to me...

[franco]

Is your WAN DHCP? Does your ISP ship DNS servers as well? In that case you have to block your OPNsense from using these servers.


Cheers,
Franco

[gdur]

Hi Franco,
Thanks for your rapid response! I have a fixed public IP block but yes the ISP also offers their DNS however, their no other way than to assume that not querying this external DNS server is done by not allowing "Allow DNS server list to be overridden by DHCP/PPP on WAN" in the System->Settings->General "DNS server options" setting. The associated help text says "If this option is set, DNS servers assigned by a DHCP/PPP server on WAN will be used for their own purposes (including the DNS services). However, they will not be assigned to DHCP clients. Since this option concerns all interfaces retrieving dynamic dns entries, you can exclude items from the list below. ". This phrase is somewhat unclear to me and maybe requires some more explanation on what it actually does. Therefor I left this option un-ticked. The behavior like I've described doesn't change while toggling this setting. Should I add elsewhere a block rule and if yes how should that look like? For now it's just to learn and to get a better understanding of OPNsense. The outcome, of how I configured, leads to the result I was trying to achieve and might be even an easier route to take.
In case there is indeed a need for an extra rule than this is something what the documentation is lacking. I think in most, if not all, cases having an internal Bind DNS server to resolve internal addresses is a quite common setup.

[franco]

Hi there,

Sorry for the delay.

The setting would push the upstream servers when DHCP is used to the list of viable forwarding servers of the internal DNS service (either Dnsmasq or Unbound). When you use static addressing you need to specify your server manually anyway so it has no effect.

If you have your local DNS server entered in the general settings and forward mode set for Unbound it will be used for sure (there is no mixed resolving mode).

If unsure set Unbound advanced log mode to 3 where queries are logged so you can see the client is not bypassing the configuration / Unbound altogether (as browsers would do nowadays).


Cheers,
Franco

[gdur]

Hi Franco,
You wrote

If you have your local DNS server entered in the general settings and forward mode set for Unbound it will be used for sure

Like I stated before, I have tried "Enable Forwarding Mode" and my internal Bind server is declared in General settings but the behavior is like stated before, Unbound DNS does NOT forward requests to my internal Bind server but escapes to the outside (my ISP, connected through PPPOE) DNS resolver. For now not a problem anymore after configuring it in a reversed order like described before.

[franco]

Hi,

Would you mind posting your Unbound configuration?

# cat /var/unbound/unbound.conf


Cheers,
Franco

[gdur]

Hi Franco,
Yes I will but I think you mean the config while having "Enable Forwarding Mode" active which isn't the case just now. This is a production machine so I'd rather fiddle around after office hours, Than I will roll back to the situation where it doesn't work and will share the config. So this may take some time...

[franco]

No problem. Take your time.


Cheers,
Franco

[gdur]

Hi Franco,
Just couldn't wait. Reversed the situation and now it bypasses my local Bind server (10.67.1.2) although forwarding is present in the config(???).

[franco]

> now it bypasses my local Bind server

Unbound is bypassing it or your clients are? Are you sure Unbound is answering local queries?

This is exactly what I would expect from the configuration. Make sure you don't have any DoT active as well.


Cheers,
Franco

[gdur]

Hi Franco,
Clients are configured by DHCP and receive OPNsense as being the DNS server (gateway of their network). Local addresses are not resolved and I guess Unbound is using the outside DNS server which comes with PPPoE as outside URL's are being resolved. May I ask what is DoT meaning in this context?

[franco]

Hi,

If name: "." is set it can't use root or ISP servers since they are not configured and everything is pushed to the forward-addr: 10.67.1.2

Please do check whether Unbound answers queries from your clients.


Cheers,
Franco

[gdur]

Hi Franco,
I really do appreciate your input, efforts and time spend on this matter. :)
You wrote:

If name: "." is set it can't use root or ISP servers since they are not configured and everything is pushed to the forward-addr: 10.67.1.2

First it's unclear to me what field in the GUI is related to [name:] in unbound.conf.
But like mentioned before traffic is NOT pushed to my local DNS (10.67.1.2) as local addresses are not resolved.

Please do check whether Unbound answers queries from your clients.

Public addresses are resolved by clients as should + Unbound blacklist is being obeyed which tells me that that clients are being served by Unbound. So it's still unclear to me where it goes wrong.
Still not a real problem for now as the reversed order, like described before, works fine.
Cheers,
Gerrit