English Forums > 21.7 Production Series

Forcing unbound overrides to be the ONLY addresses for a name

(1/2) > >>

So, I have unbound serving my local LAN as expected. In particular, it is serving DNS for the OPNsense box itself (named wall).

Unfortunately, it seems that all the WAN IP addresses for the device are being registered in unbound as valid IP addresses for wall as well. Particularly problematic, is that one of them is IPV6, which is HIGHLY preferred by other devices on network (obviously). Sadly, this WAN interface is a bit wobbly, and so I suddenly lose all connectivity to the OPNsense device (because I use it's DNS name) if the wobble takes this device out (and it thus loses it's IPV6 address, and so all public IPV6 becomes invalid in the network - yeah, fun I know).
I would like to force ONLY the addresses in the Override section to be valid (site local ipv6 and ipv4 addresses). But it seems unbound is determined to make sure it serves ALL addresses all the time. Is there any way to stop this behaviour?

Here's the output of "host wall.xxx.xx"

--- Code: ---wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has address
wall.xxx.xx has IPv6 address fdeb:df40:8dd7::1
wall.xxx.xx has IPv6 address fec0:1::1
wall.xxx.xx has IPv6 address 2607:f2c0::1909:a443:fa5c:8fb::
wall.xxx.xx has IPv6 address 2607:f2c0::3::
wall.xxx.xx has IPv6 address fe80::4262:31ff:fe06:af3c
wall.xxx.xx has IPv6 address 2607:f2c0::200:4262:31ff:fe06::
wall.xxx.xx has IPv6 address 2607:f2c0::204:4262:31ff:fe06::
wall.xxx.xx has IPv6 address fe80::4262:31ff:fe06:af3a

--- End code ---

As you can see I have a lot of addresses for the gateway host. The one that is preferred by the LAN is the 2607 one, because it's obviously a public IPv6 address.

I would like to have it ONLY serve the and fec0 addresses. I cannot see any way to do this. I have overrides specifying both of those addresses in the config.

Do you need dynamic updates of DNS for e.g. clients using DHCP? If not you could replace Unbound with BIND, statically configure your entries, and ignore all the dynamic mumbo-jumbo.

That's what I do ;)

I don't like arbitrary clients spamming my DNS ...

Well, yes, I do like being able to keep my client DNS entries up to date automatically, except specific ones I don't want to, like my wall address..


you can try to bind unbound only to specific interfaces. I did that and get only the IP addresses of the interfaces selected in unbound.



[0] Message Index

[#] Next page

Go to full version