DNS leakage of local queries with dnsmasq

Started by sbellon, November 18, 2021, 09:50:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 18, 2021, 09:50:10 PM Last Edit: November 18, 2021, 10:01:09 PM by sbellon
Hi all,

I have implemented a setup as explained at https://pi-hole.net/2021/09/30/pi-hole-and-opnsense/ (including unbound behind the Pi-hole - however on the Pi-hole itself and not back to OPNsense). It is a working setup with correct name resolution of local names, filtering in the Pi-hole and recursive resolution using unbound. Check to all those. However ...

Let's assume that local.my.domain is configured as local domain in OPNsense (my.domain being a placeholder for domain that I own and that is registered to myself).

While queries for somehost.local.my.domain are correctly answered by dnsmasq on the OPNsense with the via DHCP registered IP address (however only IPv4 - this may be another point, see below), I then realized that DNS queries for nonexisting.local.my.domain leave the OPNsense and dnsmasq forwards the queries the Pi-hole, which forwards to unbound which then queries the public name server for my.domain, so the query for a non-existing (!) local hostname leaks out to some upstream name server.

I ended up adding the following configuration to the unbound configuration

Code Select

server:
    local-zone: "local.my.domain." always_nxdomain
    local-data: "local.my.domain. 3600 IN SOA opnsense.local.my.domain. etc. etc. etc."


so that I stop the leakage at least at the unbound level before leaving my network.

However, shouldn't dnsmasq on the OPNsense not even forward queries if they refer to the local domain? Shouldn't OPNsense be authoritative for the local.my.domain and only forward queries for other domains it is not authoritative for?

Even if there is a valid reason for that behaviour: Can it be turned off somehow?

And a second question: Can I also get OPNsense to register IPv6 addresses to dnsmasq so that also AAAA records can be answered?

TIA.

Greetings,
Stefan
November 19, 2021, 08:12:10 AM #1 Last Edit: November 19, 2021, 08:52:38 AM by sbellon
Actually I kind of solved my first question by adding

Code Select

local=/local.my.domain/
local=/1.168.192.in-addr.arpa/
local=/8.e.f.ip6.arpa/


to the dnsmasq configuration file on the OPNsense.

But I somehow had expected that already to be the default?

For the second topic I opened https://forum.opnsense.org/index.php?topic=25645.0
Print
Go Up Pages1
User actions