Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Unbound recommended configuration for reverse lookup for private IPv4 addresses?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unbound recommended configuration for reverse lookup for private IPv4 addresses? (Read 1765 times)
arnog
Newbie
Posts: 12
Karma: 1
Unbound recommended configuration for reverse lookup for private IPv4 addresses?
«
on:
February 23, 2023, 10:29:14 pm »
Hi all,
we are running OPNsense as a router for a smaller network inside another larger network. The inner network contains hosts with private IPv4 addresses only. The outer network contains subnets with public IPv4 addresses and also subnets with private IPv4 addresses. The hosts all have DNS entries in the larger network's DNS.
To be able to resolve the hostnames with the private IPv4 addresses in the outer network from within the inner network, we configured Unbound to forward queries to the outer network's DNS servers and we also disabled the DNS Rebind Check. This works for forward lookups. So far so good.
Though, with this setup reverse lookups for hosts in the outer network with private IPv4 addresses don't work because Unbound does not forward these queries to the upstream DNS servers in the outer network. This is expected and documented behavior. To work around this, we added "unblock-lan-zones: yes" to the "server" clause with a template as described in the OPNsense documentation. This seems to work - until now we haven't seen unwanted side effects.
Now the question is: is this a sensible configuration? Or should we refrain from this approach and take a different route? I would love to hear your recommendations.
Thanks
Arno
Logged
gromit
Newbie
Posts: 39
Karma: 2
Re: Unbound recommended configuration for reverse lookup for private IPv4 addresses?
«
Reply #1 on:
February 24, 2023, 09:27:55 pm »
I don't know whether it's a "best practice" or not but in our setup we use explicit Unbound domain overrides to do forward and reverse lookups for IPv4 private addresses not handled explicitly by the local Unbound.
We have two sites joined via a site-to-site IPSec VPN. Each site has local (non-overlapping) IPv4 subnets and a local domain name for the addresses its Unbound manages. In the Domain Overrides for each site, there is an
N.N.N.in-addr.arpa
override that sends the queries to the other site's Unbound for PTR (reverse) lookups, as well as a
site.local.domain.
entry that forwards queries for forward lookups. It's done vice-versa at the other site.
I guess you could use a similar approach to forward all the local IPv4 ranges you're interested in to the outer network's DNS servers.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Unbound recommended configuration for reverse lookup for private IPv4 addresses?