Why is OPNsense sending some private domain DNS queries upstream?

[burntoc]

Hey all, I have Adguard Home running on my FW on port 53 and it has Unbound on 127.0.0.1:50253 as it's upstream server. Unbound then has custom options set to send requests upstream over TLS to NextDNS.io. For basic resolution this works great, but I have noticed a troubling issue - local IP-related hostnames with my private domain are showing up at NextDNS. Example, to be clear 192.168.75.5-70.mydomain.me.

I was trying to fix it and I added mydomain.me as an override to redirect it to 127.0.0.1. Thought that fixed it, but I still see a few, though less now, showing up. I went to Diagnostics->DNS Lookup and put in that hostname and sure enough I got 127.0.0.1 but then I also got two NextDNS servers. I went to System->Settings->General and I see that the two NextDNS servers are listed there. If I remove them, it does seem to stop them from showing in the NextDNS logs, but running the Diagnostics gives me no results at all. DNS does seem to work just fine, though.

Without an DNS servers indicated under System->Settings->General is OPNsense following my desired Adguard->Unbound->NextDNS flow or does the system itself still send queries to DNS root servers or some other behavior?

[Fright]

https://forum.opnsense.org/index.php?topic=23895.0 ?

[burntoc]

Thank you.  There are definitely some things in that thread, a couple of more worth looking into, and a couple I shouldn't have to do.  This is helpful.

For what it's worth, u/alexdelprete reports seeing the same exact issue in a Reddit thread I started on r/OPNSenseFirewall, and he did a great job explaining the exact issue we're seeing and his resolution: to set his local-zone type to refused. 
https://www.reddit.com/r/OPNsenseFirewall/comments/qhuev6/comment/hihq6wf/?utm_source=share&utm_medium=web2x&context=3

[Fright]

he did a great job explaining the exact issue we're seeing and his resolution: to set his local-zone type to refused

also an option. imho it should work with 'static' zone type also

[burntoc]

Awesome.  I think that's the route I'd rather go. Thanks again.

[alexdelprete]

Awesome.  I think that's the route I'd rather go. Thanks again.

Minimal differences, they both work, I suggested refuse because it's what I used to solve the problem.



(https://nlnetlabs.nl/documentation/unbound/unbound.conf/#local-zone)

[burntoc]

On a related note.....can anyone simply and clearly explain to me when and why Settings->General DNS servers are use by OPNsense vs the ones in Unbound?  I mean, with Forwarding disabled and  "Do not use the local DNS service as a nameserver for this system" both disabled? I'm trying to understand the use cases.

[Fright]

with your conditions (use localhost dns), only the deafult dns server for dhcpd comes to mind

[alexdelprete]

On a related note.....can anyone simply and clearly explain to me when and why Settings->General DNS servers are use by OPNsense vs the ones in Unbound?  I mean, with Forwarding disabled and  "Do not use the local DNS service as a nameserver for this system" both disabled? I'm trying to understand the use cases.

"General DNS Servers": these are the ones used by OPNsense itself, and also passed to DHCP clients (if not configured otherwise obviously), it's a very typical scenario.

"Do not use the local DNS service as a nameserver for this system": it simply tells OPNsense not to use 127.0.0.1 for name resolution. This is useful if you have DNS on another system or you want to use a specific IP address.

In my case, since I use AdGuardHome plugin, I configured OPNsense IP in General DNS Server and unchecked local DNS service.

[alexdelprete]

Update: with refused I had problems resolving AAAA records. Had to switch to static. Don't really understand why, but that's what I observed. So, in the end, the advise is to use static.