Unbound and stub local reverse zones

Started by GLR, May 31, 2016, 10:50:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 31, 2016, 10:50:04 PM Last Edit: May 31, 2016, 10:56:41 PM by GLR
Hello all,

I have a setup with a pfSense instance forwarding (with dnsmasq) to two external Unbound resolvers and two external nsd local authoritative NS.

I am trying to move it to an OPNsense instance embedding the name resolution feature with Unbound.

In the past I abandoned the option to use Unbound embedded in pfSense due to limitations.
I am now rechallenging the issue with OPNsense.

It is working partially but I am still facing a problem with the reverse zones locally hosted: they are not forwarded to the local authoritative NS hosting them.
In the file unbound.conf generated by OPNsense, they are defined as stub zones, private-domain and domain-insecure.
In my original working configuration (running in a Linux instance), they are simply defined as stub and local-zones.

The forward internal zone (glrnet) is however correctly resolved.

See the configuration files in the attachments.

Also, I tried to add the local-zones statements to the advanced custom field, but then Unbound fails to restart. It seems the syntax is not good as each space is turned to a carriage return.

Can you help me ?

Code Select
; <<>> DiG 9.8.1-P1 <<>> opnsense1.glrnet @192.168.1.253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59323
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;opnsense1.glrnet.              IN      A

;; ANSWER SECTION:
opnsense1.glrnet.       7191    IN      A       192.168.1.253

;; AUTHORITY SECTION:
glrnet.                 86391   IN      NS      ns.glrnet.
glrnet.                 86391   IN      NS      syno.glrnet.

;; ADDITIONAL SECTION:
ns.glrnet.              86391   IN      A       172.16.0.3
syno.glrnet.            7191    IN      A       192.168.0.251

;; Query time: 0 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue May 31 22:46:58 2016
;; MSG SIZE  rcvd: 118

Code Select

; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.253 @192.168.1.253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3644
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;253.1.168.192.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
168.192.in-addr.arpa.   10800   IN      SOA     localhost. nobody.invalid. 1 3600 1200 604800 10800

;; Query time: 15 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue May 31 22:47:10 2016
;; MSG SIZE  rcvd: 103
June 06, 2016, 10:35:33 PM #1 Last Edit: June 06, 2016, 10:37:54 PM by GLR
So, to sum-up, it seems the main problem is that the advanced settings don't work because the spaces (and tabulations) are turned to carriage returns.

In the "Advanced" web configuration:
Code Select
local-zone: "168.192.in-addr.arpa" nodefault
local-zone: "16.172.in-addr.arpa" nodefault
statistics-interval: 300
statistics-cumulative: no
extended-statistics: yes

In /var/unbound/unbound.conf:
Code Select
# Unbound custom option
local-zone:
"168.192.in-addr.arpa"
nodefault
local-zone:
"16.172.in-addr.arpa"
nodefault
statistics-interval:
300
statistics-cumulative:
no
extended-statistics:
yes


What of course induces the following Unbound error:

Code Select

opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:115: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1465244973] unbound[47952:0] fatal error: Could not read config file: /var/unbound/unbound.conf'


Can this please be fixed ?
June 06, 2016, 11:07:20 PM #2
I've just tried to implement the same configuration in pfSense and surprisingly it now works fine, probably because an option "System Domain Local Zone Type" was added in the General settings.
June 06, 2016, 11:40:36 PM #3
pfSense configuration with native local-zone statement.
June 07, 2016, 09:08:30 AM #4
Hi there,

This should fix embedding of custom options (opnsense-patch works from 16.1.16 onwards):

# opnsense-patch acbd63db3


Cheers,
Franco
June 07, 2016, 10:16:31 AM #5
Thanks, it works fine !

Added in the custom options:
Code Select
server:
local-zone: "168.192.in-addr.arpa" transparent
local-zone: "16.172.in-addr.arpa" transparent

Got in the config file:
Code Select
# Unbound custom options
server:
local-zone: "168.192.in-addr.arpa" transparent
local-zone: "16.172.in-addr.arpa" transparent

What fixes my problem.

I think you should also think at adding the local-zone statement and setting natively as done in pfSense...

Thanks a lot anyway.
Print
Go Up Pages1
User actions