Unbound DNS - Unable to resolve Host Overrides [SOLVED]

[yodaphone]

I recently migrated from pfsense

I've configured the host overrides to map internal IPs to hosts. But i cant ping them OR connect to them. These hosts are also defined in my cloudflare DNS server. instead of resolving the internal IP it returns the external IP of the firewall.

Any ideas as to why this happens?

for e.g. my bitwarden.domain.com is mapped to an internal IP 192.168.15.4 in UNBound Host Overrides
when i ping bitwarden.domain.com it returns the external IP

this used to work for me in pfsense where it returned the internal IP. I have flushed the cache etc. I had raised this issue in the legacy 20.1 too but had no solution. Yes, all these IP/hosts are configured on cloudflare with ACME

ANy ideas how to get this to resolve the internal IP?

[yodaphone]

BUMP!!!

Anyone please help

[Koldnitz]

Maybe do it like this:

Part 6 - Access from internal networks
If you try to access your URL "your_service.your_subdomain.dedyn.io" from a device in your internal network, it should fail.
There are two ways of fixing this. I will cover both options but keep in mind that Option B is the suggested way of doing it.
NAT reflection is an inferior solution since you lose the ability to track originating source IP in HAProxy when going through NAT. (@sorano)

Option A - NAT Reflection (https://docs.opnsense.org/manual/nat.html)
Option B - Split DNS (https://docs.opnsense.org/manual/unbound.html#overrides)

Option A - NAT Reflection

    In your OPNsense go to: Firewall --> Rules --> WAN
    Here you will have to edit the two rules (HAProxy HTTP and HAProxy HTTPS) we created in Part 4 - Step 3 of this tutorial.
    At the bottom of each rule there is a setting called "NAT reflection = Use system default".
    You will want to change this to "NAT reflection = Enable".
    Access from internal networks should now be working.


Option B - Split DNS (DNS Overrides)
Since you are using OPNsense you are probably also using the Unbound DNS plugin as your local DNS server.
Because of that you can easily set up DNS overrides.

    In your OPNsense go to: Services --> Unbound DNS --> Overrides
    Here you will need to create "Host Overrides" for each of your services. At least if you are using 2nd level subdomains "your_service.your_subdomain.dedyn.io" for you services.
    If you are running all of your services on your 1st level subdomain "your_subdomain.dedyn.io" than you will just need to override this one.
    The IP address can be any interface IP of your OPNsense, I am using the LAN IP on which the "SNI_frontend" is also listening on because we set it to "0.0.0.0".
    Access from internal networks should now be working.

The tutorial im copying from: https://forum.opnsense.org/index.php?topic=23339.0 has a picture as well.  It is part 6 (Last step).

My overrides point to my host / domain and my unbound DNS server address (something like this 10.10.10.1) not to the actual IP of the host within my network (I believe unbound is using split DNS only when it determines you are inside the network, and so it would make sense you would direct queries to the inside the network DNS server).

I hope this helps, I am not expert just google and copy people smarter then me.

Cheers,

[Patrick M. Hausen]

1. Do you clients really talk to your unbound? Verify! E.g. with tcpdump.
2. Check the host override files on the firewall itself.
3. Turn in query logging. Watch the logs as you send queries to Unbound.
4. ... running out of ideas, but see above. Use basic debugging techniques.

[yodaphone]

thank you for your suggestions

I finally figured it out.

I had adguard home & had to move these to lines to the top in the Bootstrap DNS Servers under DNS Settings for this to work.

192.168.11.1:5353 (My firewall IP)
127.0.0.1:5353


They were the 1st 2 in the Upstream DNS Servers box, but i guess it needs to be on the top in both places.