dig ns.domain.tld; <<>> DiG 9.18.13 <<>> ns.domain.tld;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 493;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232;; QUESTION SECTION:;ns.domain.tld. IN A;; ANSWER SECTION:ns.domain.tld. 86343 IN A 127.0.0.1;; Query time: 0 msec;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP);; WHEN: Sun Apr 16 20:34:33 CEST 2023;; MSG SIZE rcvd: 58
dig @127.0.0.1 -p 53053 ns.domain.tld; <<>> DiG 9.18.13 <<>> @127.0.0.1 -p 53053 ns.domain.tld; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47716;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232; COOKIE: 1fe998ef4f90f8d001000000643c3fe6bf801d59489e799b (good);; QUESTION SECTION:;ns.domain.tld. IN A;; ANSWER SECTION:ns.domain.tld. 86400 IN A 127.0.0.1;; Query time: 0 msec;; SERVER: 127.0.0.1#53053(127.0.0.1) (UDP);; WHEN: Sun Apr 16 20:35:18 CEST 2023;; MSG SIZE rcvd: 86
dig ns.domain.tld; <<>> DiG 9.10.6 <<>> ns.domain.tld;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14726;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232;; QUESTION SECTION:;ns.domain.tld. IN A;; ANSWER SECTION:ns.domain.tld. 86135 IN A 127.0.0.1;; Query time: 51 msec;; SERVER: 10.10.10.254#53(10.10.10.254);; WHEN: Sun Apr 16 20:38:01 CEST 2023;; MSG SIZE rcvd: 58
do you have home.arpa set as the local domain of your firewall? There's quite some "magic" in the unbound setup pulling configuration bits from all possible places, not only Services > Unbound as one might expect but also System > Settings > General.And if I am not completely wrong - and the SOA returned by your query example corroborates that - your Unbound thinks it's authoritative for home.arpa and neither the domain override nor the forward domain entry actually override that.Since it doesn't really matter what the firewall itself thinks its domain is, you can set that to some other arbitrary value and still hand out home.arpa explicitly with DHCP.That's my last idea but it is at least perfectly consistent with your observation that the forward queries just never happen.
The idea is to have a few Unbound validating, recursive and caching DNS servers which LAN clients can query. Then use BIND (named) as an authoritative server which can resolve internal LAN names only. LAN clients will NEVER access the BIND DNS server and BIND will never go out to the Internet. BIND's only job is to serve internal names to the Unbound DNS server cluster. The Unbound cluster will serve all LAN clients. If Unbound needs to resolve a private ip it will ask the BIND server for ips and then cache the response. If the client needs an external ip, lets say from google.com or cnn.com, Unbound will recursively query the Internet root DNS servers and cache the response.Here is a rough ASCII diagram of the setup. LAN Clients are all the internal machines of the local area network (LAN). The Internet DNS is basically any external DNS server. The entries for Unbound #1 through #3 are separate machines with Unbound running on them. The final machine is the Private BIND LAN DNS.Stub-zone is only used to point queries to an authoritative server like a NSD dns server. The forward-zone directive can only be used to point queries to a resolving dns server like OpenDNS.com or you local ISP's caching server. The two are not interchangeable.Code: [Select] INTERNET | | -- Unbound #1 -- / \ private authoritative onlyLAN Clients -- --- Unbound #2 -- -- BIND or NSD dns server \ / ( 10.0.0.111 ) -- Unbound #3 --
INTERNET | | -- Unbound #1 -- / \ private authoritative onlyLAN Clients -- --- Unbound #2 -- -- BIND or NSD dns server \ / ( 10.0.0.111 ) -- Unbound #3 --
$TTL 86400@ IN SOA ns1.rt1.home.arpa. admin.srv1.home.arpa. ( 2304171944 21600 3600 3542400 3600 ) NS ns1.rt1.home.arpa.1 PTR rt1.home.arpa.1 PTR ns1.rt1.home.arpa.1 PTR opnsense.rt1.home.arpa.
$TTL 86400@ IN SOA ns1.rt1.home.arpa. admin.srv1.home.arpa. ( 2304172310 21600 3600 3542400 3600 ) A 192.168.31.1 NS ns1ns1 A 192.168.31.1opnsense A 192.168.31.1
# Local DNS optionsdo-not-query-localhost: noprivate-domain: "home.arpa"domain-insecure: "home.arpa"stub-zone: name: "home.arpa" stub-addr: 127.0.0.1@53530local-zone: "10.168.192.in-addr.arpa." nodefaultdomain-insecure: "10.168.192.in-addr.arpa"private-address: 192.168.10.0/24stub-zone: name: "10.168.192.in-addr.arpa." stub-addr: 127.0.0.1@53530
The settings netnut describes there look to me much what I tried before going the stub-zone method.
I think that will only work if you let BIND query internet servers. I didn't really want to do that.
Quote from: aida on April 18, 2023, 06:16:06 pmThe settings netnut describes there look to me much what I tried before going the stub-zone method.Instead of using "advanced" configs you only need to use the built in capabilities of the standard OPNsense web interface. Your use-case isn't that special, all you want to do is configurable with a few clicks in the OPNsense GUI.
Quote from: aida on April 18, 2023, 06:16:06 pmI think that will only work if you let BIND query internet servers. I didn't really want to do that.No, in my example only Unbound does query internet servers and will contact your local BIND instance when you request (local) domains defined in the "Domain Override" and/or "Query Forwarding" config.Again, what your trying to do is pretty straight forward. I suggest you start with a clean config and create both Unbound and BIND configs in the web interface (it's all there). When that's working you always can tweak your config with manual custom stuff (but I don't see any reason, because it's all there in the GUI).
# By default, for a number of zones a small default 'nothing here' # reply is built-in. Query traffic is thus blocked. If you # wish to serve such zone you can unblock them by uncommenting one # of the nodefault statements below. # You may also have to use domain-insecure: zone to make DNSSEC work, # unless you have your own trust anchors for this zone. # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault local-zone: "home.arpa." nodefault
Special treatment of any particular zone by "magic" should be punished.
1. Users can use names ending with '.home.arpa.' just as they would use any other domain name. The 'home.arpa.' name is chosen to be readily recognized by users as signifying that the name is addressing a service on the homenet to which the user's device is connected. 2. Application software SHOULD NOT treat names ending in '.home.arpa.' differently than other names. In particular, there is no basis for trusting names that are subdomains of 'home.arpa.' (see Section 6). 3. Name resolution APIs and libraries MUST NOT recognize names that end in '.home.arpa.' as special and MUST NOT treat them as having special significance, except that it may be necessary that such APIs not bypass the locally configured recursive resolvers.
In BIND you setup regular zone files for e.g. localhost.
printf 'server:\n\tlocal-zone: "home.arpa." nodefault\n' > /usr/local/etc/unbound.opnsense.d/local-zone.conf
# Outgoing interfaces to be usedoutgoing-interface: 10.82.40.3
Another remark: I always recommend using a subdomain of a real domain name for internal networks. This way you won't get a conflict when your "private" domain unexpectedly has some special meaning (".local") or a new top level domain is introduced or suddenly you need split DNS because you run AD but marketing insists the external webserver must be "company.com", etc.So the name and domain of my company is punkt.de. Our internal network is intern.punkt.de. No entry for anything in intern.punkt.de is published on the Internet. My private domain is hausen.com. My homelab uses ettlingen.hausen.com, the place where I live. Again no ettlingen.hausen.com anywhere public.
That is one option, but as this is a small home network with only internal services, I didn't really want to register a domain just for that.
Ah ... yes, I remember: browsers do not accept wildcard certificates for TLDs like *.lan.
Possibly it's only .home.arpa that gets a special treatment but .myname.home.arpa works ok?
but you're free to make up anything you like, for instance .lan , .home , .internal , .l33t etc.
We had another user report problems trying to use .lan as the local domain and host names directly under that. As soon as they switched to .myname.lan everything worked as expected. Ah ... yes, I remember: browsers do not accept wildcard certificates for TLDs like *.lan.Possibly it's only .home.arpa that gets a special treatment but .myname.home.arpa works ok?
@netnut, even with a private CA the browser will not accept a wildcard cert for *.lan, only for *.foo.lan ... that was the problem of that other person as it turned out.