Accessing OPNsense by its Hostname

[opojomo]

Hello all,

I am used to access my hosts by their hostname on the local domain, like opnsense.opojomo.local

With OPNsense itself there is something I do not understand. If I try to access opnsense.opojomo.local the IP I get from the DNS (Unbound DNS) is always [when I flush DNS of course] a random gateway (=OPNsense) IP address of one of my VLANs. Thus, if the IP returned by the DNS is not a specific IP [one from a VLAN that shall have access to OPNsense, others must not] I will not get access to OPNsense.

I have set Unbound DNS overwrite for opnsense.opojomo.local -> 172.16.1.1, still, the IP my clients get are always different.

How may I resolve this issue?

Thanks in advance for your help!

Best regards

[lfirewall1243]

Have you selected the Opnsense as DNS server in your client ?

[opojomo]

Yes, all clients will get the gateway IP as DNS. Also I have a port forward for every DNS (Port 53) request to "127.0.0.1". This is working since I can reach all other overwrites I configured.

[Maurice]

Unbound registers the IP addresses of all interfaces it is listening on with the OPNsense hostname. If you want it to return only the address(es) of a specific interface, configure it to listen only on that interface. Also see: https://forum.opnsense.org/index.php?topic=22043.0

(And you probably don't want to use .local, that's for mDNS / zeroconf only.)

Cheers

Maurice

[opojomo]

Alright, I get it. So in this case every client should use 172.16.1.1 as DNS server, then they could use Unbound DNS which is answering to LAN ip (172.16.1.1).

Maybe a weird question, but... I have port forwarding set for every port 53 dns request from any VLAN to be routed to 172.16.1.1:53 (Unbound DNS), is it true that Unbound DNS will see the client ip as the requesting ip, instead of the opnsense ip (which is port forwarding the request)?

Is there a possibility to configure 172.16.1.1 as DNS for every VLAN/ DHCP at one point or do I have to enter it in every single VLAN/ DHCP setting?

Thanks for your help

[Greelan]

Is there a possibility to configure 172.16.1.1 as DNS for every VLAN/ DHCP at one point or do I have to enter it in every single VLAN/ DHCP setting?

Under System>Settings>General>Networking

[Maurice]

I have port forwarding set for every port 53 dns request from any VLAN to be routed to 172.16.1.1:53 (Unbound DNS), is it true that Unbound DNS will see the client ip as the requesting ip, instead of the opnsense ip (which is port forwarding the request)?

Port forwarding does not change the source address. But to avoid any potential issues, you could set the destination in the port forward rule to 'not 172.16.1.1'.

do I have to enter it in every single VLAN/ DHCP setting?

Yes.

Under System>Settings>General>Networking

As long as Unbound is enabled, the DHCPv4 server will advertise the interface IP address as the DNS server, even if Unbound is not listening on that interface. The DNS servers from the global settings are only advertised if Unbound is disabled. At least that's how it worked last time I tried it; maybe this has changed?

[Greelan]

As long as Unbound is enabled, the DHCPv4 server will advertise the interface IP address as the DNS server, even if Unbound is not listening on that interface. The DNS servers from the global settings are only advertised if Unbound is disabled. At least that's how it worked last time I tried it; maybe this has changed?

Ah, my mistake, I don’t run unbound on OPNsense (I run Pi-hole and unbound on a separate box)

[opojomo]

I tried the following:
- Removed all DNS servers from System > Settings > General
- Firewall rule on network "Private" to allow all packets from Private net to This Firewall
- Added 172.16.1.1 [LAN net ip] as DNS server to DHCP settings of Private net
- Removed Private from Unbound DNS listening networks, leaving it with WAN, LAN

When I apply these settings nslookup returns "Query refused" and I do not understand why.

Network Interfaces: Interface IP addresses used for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

My client on Private net does a "nslookup ecosia.org 172.16.1.1" on port 53 so Unbound DNS should receive a request from Private net ip and answer it, but it doesn't.



EDIT:
I forgot to put 0.0.0.0/0 back into the Unbound DNS access list. Now it is working!

[opojomo]

I hope it is okay not to open a new topic for this question.

For network services like DNS and NTP I reated a vlan and interface. With a floating rule I allow all packets from all other nets (all ports, all sources, destination Network Services net). Do you think this is a bad idea?