Unbound fails to start when loading custom access control views

[bob9744]

Hello!

Unbound now fails to start when trying to load custom access control views, something that worked well up to this point.

Here's the content from the conf file that I drop in /usr/local/etc/unbound.opnsense.d, formatting as outlined in the unbound docs:

Code: [Select]

access-control-view: 10.0.10.0/24 trusted
access-control-view: 10.0.20.0/24 kids
access-control-view: 10.0.30.0/24 iot
access-control-view: 10.0.40.0/24 dmz
access-control-view: 10.0.50.0/24 cameras

view:
    name: "trusted"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.10.1"
    local-data: "opnsense A 10.0.10.1"
    view-first: yes

view:
    name: "kids"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.20.1"
    local-data: "opnsense A 10.0.20.1"
    view-first: yes

view:
    name: "iot"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.30.1"
    local-data: "opnsense A 10.0.30.1"
    local-zone: "ntp.org" redirect
    local-data: "ntp.org A 10.0.30.1"
    view-first: yes

view:
    name: "dmz"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.40.1"
    local-data: "opnsense A 10.0.40.1"
    view-first: yes

view:
    name: "cameras"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.50.1"
    local-data: "opnsense A 10.0.50.1"
    local-zone: "ntp.org" redirect
    local-data: "ntp.org A 10.0.50.1"
    view-first: yes
Any ideas of why this is failing now would be greatly appreciated!

Thanks!

[aptalca]

I also experienced a similar issue.

Prior to 23.7, I was using a custom unbound conf with an access-control-view defined.

Once I upgraded to 23.7, unbound would no longer start. Removing the access-control-view allows unbound to start. No idea what's causing it.

Here's my redacted sample conf:

Code: [Select]

server:

access-control-view: 192.168.2.0/24 "vlan10"

local-zone: "domain.url" redirect
local-data: "domain.url 86400 IN A 192.168.1.1"

view:
name: "vlan10"
local-zone: "localdomain" deny

I'm trying to prevent local dns lookups from vlan10

[newsense]

Hello!

Unbound now fails to start when trying to load custom access control views, something that worked well up to this point.

Here's the content from the conf file that I drop in /usr/local/etc/unbound.opnsense.d, formatting as outlined in the unbound docs:

Code: [Select]

access-control-view: 10.0.10.0/24 trusted
access-control-view: 10.0.20.0/24 kids
access-control-view: 10.0.30.0/24 iot
access-control-view: 10.0.40.0/24 dmz
access-control-view: 10.0.50.0/24 cameras

view:
    name: "trusted"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.10.1"
    local-data: "opnsense A 10.0.10.1"
    view-first: yes

view:
    name: "kids"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.20.1"
    local-data: "opnsense A 10.0.20.1"
    view-first: yes

view:
    name: "iot"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.30.1"
    local-data: "opnsense A 10.0.30.1"
    local-zone: "ntp.org" redirect
    local-data: "ntp.org A 10.0.30.1"
    view-first: yes

view:
    name: "dmz"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.40.1"
    local-data: "opnsense A 10.0.40.1"
    view-first: yes

view:
    name: "cameras"
    local-zone: "beaker.ddnsgeek.com" transparent
    local-data: "opnsense.beaker.ddnsgeek.com A 10.0.50.1"
    local-data: "opnsense A 10.0.50.1"
    local-zone: "ntp.org" redirect
    local-data: "ntp.org A 10.0.50.1"
    view-first: yes
Any ideas of why this is failing now would be greatly appreciated!

Thanks!

Not sure why you need custom views here, a simple port forward rule would do just fine:

Select all (V)LANs in scope, Proto UDP, Source Any Destination Any DPort 123 Redirect 127.0.0.1 Port 123

You can then clone the rule and change NTP to DNS, adjust the proto to TCP/UDP

[bob9744]

Not sure why you need custom views here, a simple port forward rule would do just fine:

Select all (V)LANs in scope, Proto UDP, Source Any Destination Any DPort 123 Redirect 127.0.0.1 Port 123

You can then clone the rule and change NTP to DNS, adjust the proto to TCP/UDP

Thanks for the response! Maybe I misunderstand your answer - primarily what I was trying to do was ensure that querying either 'opnsense' or its FQDN would resolve to the IP that matches the vlan the query was issued from. You're right, though, about the ntp entries - ironically, I already have port forwards for those in place - I must've forgotten to go back and prune them from the views file...

For now, since I really only access the router using it's 'short' name from my pc, I dropped an entry in hosts that matches the vlan my pc's on - that's good enough for now.

[aptalca]

I also experienced a similar issue.

Prior to 23.7, I was using a custom unbound conf with an access-control-view defined.

Once I upgraded to 23.7, unbound would no longer start. Removing the access-control-view allows unbound to start. No idea what's causing it.

Here's my redacted sample conf:

Code: [Select]

server:

access-control-view: 192.168.2.0/24 "vlan10"

local-zone: "domain.url" redirect
local-data: "domain.url 86400 IN A 192.168.1.1"

view:
name: "vlan10"
local-zone: "localdomain" deny

I'm trying to prevent local dns lookups from vlan10

It turns out my issue was a formatting issue. I got rid of the quotes around the view name and fixed the indents and now it starts with the following custom config. I guess the older version of unbound tolerated formatting issues but the newer version doesn't.

Code: [Select]

server:

access-control-view: 192.168.2.0/24 vlan10

local-zone: "domain.url" redirect
local-data: "domain.url 86400 IN A 192.168.1.1"

view:
    name: vlan10
    local-zone: "localdomain" deny


[bob9744]

It turns out my issue was a formatting issue. I got rid of the quotes around the view name and fixed the indents and now it starts with the following custom config. I guess the older version of unbound tolerated formatting issues but the newer version doesn't.

Did you indent using spaces or tabs? I tried both, and unbound still failed to start for me...

[aptalca]

I did 4 spaces. I'm not sure whether it was the indents or the removal of the quotes around the view name that fixed the issue as I did both at once and it worked.