Unbound leaks all subnets

[Voodoo]

I noticed unbound leaks all subnets configured in opnsense.

Just query the firewall host, can be easily found out with a ptr lookup.

Is there some way to prevent unbound from returning all the addresses ?

Code Select Expand


# check dns server
user@docker1:~# nslookup docker1
Server:         192.168.1.1 <- used dns server
Address:        192.168.1.1#53

Name:   docker1.example.com
Address: 192.168.1.11

# ptr on dns server
user@docker1:~# nslookup 192.168.1.1
1.1.168.192.in-addr.arpa        name = firewall1.example.com.

# get all subnets
user@docker1:~# nslookup firewall1.example.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   firewall1.example.com
Address: 192.168.1.1
Name:   firewall1.example.com
Address: 192.168.2.1
Name:   firewall1.example.com
Address: 192.168.3.1
... (removed entries)
Name:   firewall1.example.com
Address: 10.10.1.0
Name:   firewall1.example.com
Address: 10.20.2.0
Name:   firewall1.example.com
Address: 10.20.0.2
... (removed entries)
Name:   firewall1.example.com
Address: 2a02:****
Name:   firewall1.example.com
Address: 2a02:****
Name:   firewall1.example.com
Address: 2a02:****
... (removed entries)


[koushun]

Woo, I've noticed the same.

[Patrick M. Hausen]

I noticed unbound leaks all subnets configured in opnsense.

And this is a problem, because ...?

Is there some way to prevent unbound from returning all the addresses ?

It's the built-in default behavior and there to my knowledge no option to disable it. If you need more granular control about the contents of your local DNS zones, you can replace Unbound with the BIND plugin and configure all entries manually. You lose the automatic creation of entries for DHCP clients, though.

HTH,
Patrick

[Greelan]

https://forum.opnsense.org/index.php?topic=22991.msg109405#msg109405

[franco]

If you care deeply about this behaviour you will have to use different DNS services for different subnets depending on their trust level.


Cheers,
Franco

[lfirewall1243]

I wouldn't call it a leak. Its the normal function of a DNS resolver/server. If you don't want that every subnet should have its own DNS Server as @franco said.

[Voodoo]

I noticed unbound leaks all subnets configured in opnsense.

And this is a problem, because ...?

Never said it's a problem, I just dislike it. There is simply no reason to leak all networks.

I setup a floating rule, changed unbound to only listen on a single interface and changed the dns via dhcp.

[koushun]

Can you please elaborate - and what was the end result?

[Voodoo]

Firewall -> Rules -> Floating: pass port 53 tcp/udp source any dest 192.168.1.1

Services -> Unbound -> General: Network Interfaces: only select lan (192.168.1.1)

Services -> Unbound -> Access Lists: Allow 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8

Services -> DHCPv4 -> Set each interface dns to 192.168.1.1

Repeat for ipv6


This way only 192.168.1.1 is returned for a dns request to the firewall.

[thogru]

Hi Voodoo,

Perhaps it is good idea to change the Subject of your first post in this thread (insert [solved] or something similar) to mark this thread containing to solution for  this topic.

Kind Regards
Thomas