Unbound DNS, Host Overrides, Aliases not showing in the interface

JeroenS · February 14, 2024, 09:34:18 AM

Dear Forum Members,

I got a colleague at my desk telling me that things are working, but according to the configuration in OPNsense, it shouldn't.

In our office we have a server running multiple dockers hosting several services for the company. As these services are all available on the same IP address on the network we have given them names to access them easily.

In Unbound you can configure host overrides so for the server we have created the main entry with its IP address and created Aliases for all dockers running on the same machine. (This configuration is create years ago).

Software running currently:
OPNsense 23.7.12_5-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w

Now when we look in the configuration web interface, we see that the Aliases list is empty.

We checked the /conf/config.xml file, we see the following configuration for Unbound. I have anonymized the configuration. I tried to leave the links between the servers and the aliases as clear as possible. I am human so i may have made a mistake.

Code Select

 <unboundplus version="1.0.8">
      <general>
        <enabled>1</enabled>
        <port>53</port>
        <stats>1</stats>
        <active_interface/>
        <dnssec>0</dnssec>
        <dns64>0</dns64>
        <dns64prefix>64:ff9b::/96</dns64prefix>
        <noarecords>0</noarecords>
        <regdhcp>1</regdhcp>
        <regdhcpdomain/>
        <regdhcpstatic>0</regdhcpstatic>
        <noreglladdr6>0</noreglladdr6>
        <noregrecords>0</noregrecords>
        <txtsupport>0</txtsupport>
        <cacheflush>0</cacheflush>
        <local_zone_type>transparent</local_zone_type>
        <outgoing_interface/>
        <enable_wpad>0</enable_wpad>
      </general>
      <advanced>
        <hideidentity>0</hideidentity>
        <hideversion>0</hideversion>
        <prefetch>0</prefetch>
        <prefetchkey>0</prefetchkey>
        <dnssecstripped>0</dnssecstripped>
        <serveexpired>0</serveexpired>
        <serveexpiredreplyttl/>
        <serveexpiredttl/>
        <serveexpiredttlreset>0</serveexpiredttlreset>
        <serveexpiredclienttimeout/>
        <qnameminstrict>0</qnameminstrict>
        <extendedstatistics>0</extendedstatistics>
        <logqueries>0</logqueries>
        <logreplies>0</logreplies>
        <logtagqueryreply>0</logtagqueryreply>
        <logservfail>0</logservfail>
        <loglocalactions>0</loglocalactions>
        <logverbosity>1</logverbosity>
        <valloglevel>0</valloglevel>
        <privatedomain/>
        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
        <insecuredomain/>
        <msgcachesize/>
        <rrsetcachesize/>
        <outgoingnumtcp/>
        <incomingnumtcp/>
        <numqueriesperthread/>
        <outgoingrange/>
        <jostletimeout/>
        <cachemaxttl/>
        <cachemaxnegativettl/>
        <cacheminttl/>
        <infrahostttl/>
        <infrakeepprobing>0</infrakeepprobing>
        <infracachenumhosts/>
        <unwantedreplythreshold/>
      </advanced>
      <acls>
        <default_action>allow</default_action>
        <acl uuid="68592565-3f29-4495-a72a-3f0a7bd96df6">
          <enabled>1</enabled>
          <name>VPN</name>
          <action>allow</action>
          <networks>xxx.xx.xx.0/29</networks>
          <description>xxx.xx.xx.0/29</description>
        </acl>
      </acls>
      <dnsbl>
        <enabled>0</enabled>
        <safesearch>0</safesearch>
        <type/>
        <lists/>
        <whitelists/>
        <blocklists/>
        <wildcards/>
        <address/>
        <nxdomain>0</nxdomain>
      </dnsbl>
      <forwarding>
        <enabled>0</enabled>
      </forwarding>
      <dots/>
      <hosts>
        <host uuid="8da0b498-2c6b-4346-83be-bdf2c33a7c4a">
          <enabled>1</enabled>
          <hostname>Server1</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.6</server>
          <description>Server number 1</description>
        </host>
        <host uuid="3b33854b-b603-46f0-89c3-675ad92f53e9">
          <enabled>1</enabled>
          <hostname>Server2</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.7</server>
          <description>Server number 2</description>
        </host>
        <host uuid="37446fd9-d446-45e5-8915-6c0928de4f30">
          <enabled>1</enabled>
          <hostname>Server3</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.8</server>
          <description>Server number 3</description>
        </host>
        <host uuid="86f9388b-4012-412d-b975-22184b6782e6">
          <enabled>1</enabled>
          <hostname>Server4</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.9</server>
          <description>Server number 4</description>
        </host>
        <host uuid="3ce5fc46-9524-46e9-9ccc-2af6e8e3d21e">
          <enabled>1</enabled>
          <hostname>Server5</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xx.x.4</server>
          <description>Server number 5</description>
        </host>
        <host uuid="2809c99f-6d65-48a6-ac8d-ebe98e9d6faa">
          <enabled>1</enabled>
          <hostname>Server 6</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.10</server>
          <description>Server number 6</description>
        </host>
        <host uuid="c9b41479-e080-4a15-ad00-1d221fcd06ee">
          <enabled>1</enabled>
          <hostname>Server7</hostname>
          <domain>xyz</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <server>xxx.xxx.xxx.11</server>
          <description>Server number 7</description>
        </host>
      </hosts>
      <aliases>
        <alias uuid="a6d376d7-ea98-4974-9223-eb28595e0238">
          <enabled>1</enabled>
          <host>3b33854b-b603-46f0-89c3-675ad92f53e9</host>
          <hostname>Ohtername1Server2</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="425ac57f-d4c8-4455-a5ae-3b68f5e05c63">
          <enabled>1</enabled>
          <host>3b33854b-b603-46f0-89c3-675ad92f53e9</host>
          <hostname>Ohtername2Server2</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="805de89c-4009-48ad-a43b-87883bef6ef0">
          <enabled>1</enabled>
          <host>37446fd9-d446-45e5-8915-6c0928de4f30</host>
          <hostname>Othername1Server3</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="c3e606f0-c52b-409e-855a-18857e2a1112">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername1Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="c28c91af-26cc-4c4f-aa23-4bec97a0cc62">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername2Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="8dce8e47-3286-4cf2-adb2-e953cb8a0d6e">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername3Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="c8cf1015-d7ed-4ff1-947c-6ef01d159b91">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername4Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="ad039ccd-8b0b-4bef-b2c0-7166bc2bb573">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername5Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="f4776e15-bb9a-4bdf-be5e-73d95e1c56da">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername6Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="bd23ecae-924b-4045-93d7-79377e144d32">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername7Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="a7f0d6ab-7704-42ad-9d33-54651a0e32a7">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername8Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="0edc5d41-c7cd-43d9-ac29-d3ec247f8fed">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername9Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="12769bf8-6da2-459a-8b07-58562acd9853">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername10Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
        <alias uuid="67db3a27-c4c9-49d7-965a-b2058cb760a9">
          <enabled>1</enabled>
          <host>c9b41479-e080-4a15-ad00-1d221fcd06ee</host>
          <hostname>Othername11Server7</hostname>
          <domain>xyz</domain>
          <description/>
        </alias>
      </aliases>
      <domains>
        <domain uuid="d2af4c71-4c90-4864-92d7-85e3d2a30031">
          <enabled>1</enabled>
          <domain>xyz.local</domain>
          <server>xxx.xxx.xxx.2</server>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <description>xyz domain</description>
        </domain>
      </domains>
    </unboundplus>

In the Log File of Unbound DNS a lot of entries are shown for all the aliases. Below on of the entries.

Code Select

2024-01-19T22:31:03 Warning unbound PTR record already exists for othername6server7.xyz(xxx.xxx.xxx.11)

What could be the issue that it is not shown? Also, if we create a new alias, will we loose the other aliases?

Looking forward to elaborate on this issue.

Jeroen

CDuv · March 06, 2024, 01:09:06 AM

I also noticed the same thing on my v23.7.12_5 box.

I am using Unbound DNS's overrides to "create" an internal DNS domain/zone for my LAN.

I have an "Host Override" entry per server/IP and I recall I had multiple aliases in the entry (also years long setup).

Today I wanted to add a new alias and could not find where I needed to add it and hopefully I stumbled on this topic.

Here is the XML part from an OPNsense configuration backup on 2021-08 (so I guess it was v21.7, or maybe v21.1):

Code Select

  <unbound>
    <hosts>
	  <!-- This make "mesu.apple.com", "appldnld.apple.com" and "plex.tv" resolve to "192.168.0.253" which I use as a blackhole (via a firewall rule) -->
      <host>blackhole</host>
      <domain>lists.invalid</domain>
      <rr>A</rr>
      <ip>192.168.0.253</ip>
      <mxprio/>
      <mx/>
      <descr>Blocks FQDN (towards BlackHoleGateway)</descr>
      <aliases>
        <item>
          <domain>apple.com</domain>
          <descr>MAJ Apple</descr>
          <host>mesu</host>
        </item>
        <item>
          <domain>apple.com</domain>
          <descr>MAJ Apple</descr>
          <host>appldnld</host>
        </item>
        <item>
          <domain>tv</domain>
          <descr/>
          <host>plex</host>
        </item>
      </aliases>
    </hosts>
    <hosts>
	  <!-- This make "server1.my-internal.lan" resolve to "192.168.0.101" -->
      <host>server1</host>
      <domain>my-internal.lan</domain>
      <rr>A</rr>
      <ip>192.168.0.101</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
	  <!-- This make "router.my-internal.lan" resolve to "192.168.0.1" but also "ntp.my-internal.lan" -->
      <host>router</host>
      <domain>my-internal.lan</domain>
      <rr>A</rr>
      <ip>192.168.0.1</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item>
          <domain/>
          <descr/>
          <host>ntp</host>
        </item>
      </aliases>
    </hosts>
    <hosts>
	  <!--
	    This make "server3-aliases.lists.invalid" resolve to "192.168.0.103" (which I don't care/use).
	    But it also make the following FQDN resolve to the same IP (which I do care):
	    * app1.my-internal.lan
	    * app2.my-internal.lan
	    * plex.my-internal.lan
	  -->
      <host>server3-aliases</host>
      <domain>lists.invalid</domain>
      <rr>A</rr>
      <ip>192.168.0.103</ip>
      <mxprio/>
      <mx/>
      <descr>Alias for local services provided by server3</descr>
      <aliases>
        <item>
          <domain>my-internal.lan</domain>
          <descr/>
          <host>app1</host>
        </item>
        <item>
          <domain>my-internal.lan</domain>
          <descr/>
          <host>app2</host>
        </item>
        <item>
          <domain>my-internal.lan</domain>
          <descr/>
          <host>plex</host>
        </item>
      </aliases>
    </hosts>
    <hosts>
	  <!--
	    This make "server3-self-hosting.lists.invalid" resolve to "192.168.0.103" (which I don't care/use).
	    But it also make the following FQDN resolve to the same IP (which I do care):
	    * app1.duvergier.fr
	    * app2.duvergier.fr
	    This entry is for direct access to some publicly accessible applications that I self-host.
	  -->
      <host>server3-self-hosting</host>
      <domain>lists.invalid</domain>
      <rr>A</rr>
      <ip>192.168.0.103</ip>
      <mxprio/>
      <mx/>
      <descr>Access to public services self-hosted on server3</descr>
      <aliases>
        <item>
          <domain>duvergier.fr</domain>
          <descr/>
          <host>app1</host>
        </item>
        <item>
          <domain>duvergier.fr</domain>
          <descr/>
          <host>app2</host>
        </item>
      </aliases>
    </hosts>

    <!-- The following seems irrelevant for this bug -->
    <enable>1</enable>
    <domainoverrides/>
    <custom_options/>
    <dnssec>1</dnssec>
    <forwarding>1</forwarding>
    <noreglladdr6>1</noreglladdr6>
    <outgoing_interface>wan</outgoing_interface>
    <regdhcpstatic>1</regdhcpstatic>
    <hideidentity>1</hideidentity>
    <hideversion>1</hideversion>
    <cache_max_ttl/>
    <cache_min_ttl/>
    <incoming_num_tcp>10</incoming_num_tcp>
    <infra_cache_numhosts>10000</infra_cache_numhosts>
    <infra_host_ttl>900</infra_host_ttl>
    <jostle_timeout>200</jostle_timeout>
    <log_verbosity>0</log_verbosity>
    <msgcachesize>4</msgcachesize>
    <num_queries_per_thread>4096</num_queries_per_thread>
    <outgoing_num_tcp>10</outgoing_num_tcp>
    <unwanted_reply_threshold/>
    <prefetch>1</prefetch>
  </unbound>

And later on, as JeroenS posted, the aliases were moved to another part of the Unbound configuration.

kug1977 · April 21, 2024, 10:07:10 AM

Run into the same issue today. Solution is easy. Select () next to enable) the the machine you want to see aliases for in the Override section, than it is showing the aliases. (My 2 cents to the issue: Bad UI design.)

https://github.com/opnsense/core/issues/5752

mrmanuel · October 22, 2024, 02:42:45 PM

Had the same issue and found this post on Google. Then I found and issue on GitHub: https://github.com/opnsense/core/issues/5752

You need to select a host override to see it's aliases in the list below.

Unbound DNS, Host Overrides, Aliases not showing in the interface

JeroenS

February 14, 2024, 09:34:18 AM

CDuv

March 06, 2024, 01:09:06 AM #1

kug1977

April 21, 2024, 10:07:10 AM #2

mrmanuel

October 22, 2024, 02:42:45 PM #3