OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • Unbound and stub local reverse zones
« previous next »
  • Print
Pages: [1]

Author Topic: Unbound and stub local reverse zones  (Read 8839 times)

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Unbound and stub local reverse zones
« on: May 31, 2016, 10:50:04 pm »
Hello all,

I have a setup with a pfSense instance forwarding (with dnsmasq) to two external Unbound resolvers and two external nsd local authoritative NS.

I am trying to move it to an OPNsense instance embedding the name resolution feature with Unbound.

In the past I abandoned the option to use Unbound embedded in pfSense due to limitations.
I am now rechallenging the issue with OPNsense.

It is working partially but I am still facing a problem with the reverse zones locally hosted: they are not forwarded to the local authoritative NS hosting them.
In the file unbound.conf generated by OPNsense, they are defined as stub zones, private-domain and domain-insecure.
In my original working configuration (running in a Linux instance), they are simply defined as stub and local-zones.

The forward internal zone (glrnet) is however correctly resolved.

See the configuration files in the attachments.

Also, I tried to add the local-zones statements to the advanced custom field, but then Unbound fails to restart. It seems the syntax is not good as each space is turned to a carriage return.

Can you help me ?

Code: [Select]
; <<>> DiG 9.8.1-P1 <<>> opnsense1.glrnet @192.168.1.253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59323
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;opnsense1.glrnet.              IN      A

;; ANSWER SECTION:
opnsense1.glrnet.       7191    IN      A       192.168.1.253

;; AUTHORITY SECTION:
glrnet.                 86391   IN      NS      ns.glrnet.
glrnet.                 86391   IN      NS      syno.glrnet.

;; ADDITIONAL SECTION:
ns.glrnet.              86391   IN      A       172.16.0.3
syno.glrnet.            7191    IN      A       192.168.0.251

;; Query time: 0 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue May 31 22:46:58 2016
;; MSG SIZE  rcvd: 118
Code: [Select]
; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.253 @192.168.1.253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3644
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;253.1.168.192.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
168.192.in-addr.arpa.   10800   IN      SOA     localhost. nobody.invalid. 1 3600 1200 604800 10800

;; Query time: 15 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue May 31 22:47:10 2016
;; MSG SIZE  rcvd: 103
« Last Edit: May 31, 2016, 10:56:41 pm by GLR »
Logged

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Re: Unbound and stub local reverse zones
« Reply #1 on: June 06, 2016, 10:35:33 pm »
So, to sum-up, it seems the main problem is that the advanced settings don't work because the spaces (and tabulations) are turned to carriage returns.

In the "Advanced" web configuration:
Code: [Select]
local-zone: "168.192.in-addr.arpa" nodefault
local-zone: "16.172.in-addr.arpa" nodefault
statistics-interval: 300
statistics-cumulative: no
extended-statistics: yes

In /var/unbound/unbound.conf:
Code: [Select]
# Unbound custom option
local-zone:
"168.192.in-addr.arpa"
nodefault
local-zone:
"16.172.in-addr.arpa"
nodefault
statistics-interval:
300
statistics-cumulative:
no
extended-statistics:
yes

What of course induces the following Unbound error:

Code: [Select]
opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:115: error: syntax error read /var/unbound/unbound.conf failed: 1 errors in configuration file [1465244973] unbound[47952:0] fatal error: Could not read config file: /var/unbound/unbound.conf'

Can this please be fixed ?
« Last Edit: June 06, 2016, 10:37:54 pm by GLR »
Logged

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Re: Unbound and stub local reverse zones
« Reply #2 on: June 06, 2016, 11:07:20 pm »
I've just tried to implement the same configuration in pfSense and surprisingly it now works fine, probably because an option "System Domain Local Zone Type" was added in the General settings.
Logged

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Re: Unbound and stub local reverse zones
« Reply #3 on: June 06, 2016, 11:40:36 pm »
pfSense configuration with native local-zone statement.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: Unbound and stub local reverse zones
« Reply #4 on: June 07, 2016, 09:08:30 am »
Hi there,

This should fix embedding of custom options (opnsense-patch works from 16.1.16 onwards):

# opnsense-patch acbd63db3


Cheers,
Franco
Logged

GLR

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
    • Tech blog
Re: Unbound and stub local reverse zones
« Reply #5 on: June 07, 2016, 10:16:31 am »
Thanks, it works fine !

Added in the custom options:
Code: [Select]
server:
local-zone: "168.192.in-addr.arpa" transparent
local-zone: "16.172.in-addr.arpa" transparent

Got in the config file:
Code: [Select]
# Unbound custom options
server:
local-zone: "168.192.in-addr.arpa" transparent
local-zone: "16.172.in-addr.arpa" transparent

What fixes my problem.

I think you should also think at adding the local-zone statement and setting natively as done in pfSense...

Thanks a lot anyway.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • Unbound and stub local reverse zones
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2