SOLVED: Unbound: Using TLD test. internally and Unbound as caching DNS

[rainerle]

Hi,
we use the .test domain internally configured on four Bind DNS servers.

A nslookup using one of those is successful:

Code: [Select]

PS C:\Users\admin> nslookup m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>

The OPNsense unbound uses all four Bind servers as forward servers, but the nslookup is not successful

Code: [Select]

PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  UnKnown
Address:  10.20.30.1

*** m.s.test wurde von UnKnown nicht gefunden: Non-existent domain.
PS C:\Users\admin>

Switching back to DNSmasq it just works:

Code: [Select]

PS C:\Users\admin> nslookup m.s.test 10.20.30.1
Server:  private-access.muc-fw01.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>

How can I enable the .test domain for unbound?

Already tried with "Private Domains" and  "Insecure Domains" on the Advanced tab - did not help...

Thanks
Rainerle

[netnut]

You should use the "Unbound DNS" :: "Query Forwarding" menu for that. If you run BIND on your OPNsense host itself _with_ Unbound, you have to run BIND on an alternative port, not 53.

Works like a charm.

[rainerle]

So I changed the config from attachment one to attachment two and started the unbound on port 54 to keep the DNSmasq running while testing...

And indeed:

Code: [Select]

PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.254
Server:  controlnode02.muc.contoso.com
Address:  10.20.30.254

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=53 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin> nslookup -port=54 m.s.test 10.20.30.1
Server:  private-access.muc-fw01.muc.contoso.com
Address:  10.20.30.1

Name:    test01.node.dev.contoso.com
Address:  10.31.9.23
Aliases:  m.s.test

PS C:\Users\admin>

...it just works!!! NOT!!!

See next post...

[rainerle]

So, no, it does not work.

Windows nslookup does not know how to use a different port than 53...

Using Linux it shows...

Code: [Select]

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.254
Server:         10.20.30.254
Address:        10.20.30.254#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=53 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#53

m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

admin@linux:~$ nslookup -port=54 m.s.test 10.20.30.1
Server:         10.20.30.1
Address:        10.20.30.1#54

** server can't find m.s.test: NXDOMAIN

admin@linux:~$

...a NXDOMAIN for unbound where on bind9 and dnsmasq on the same host I get the expected reply.

[netnut]

If the "s.test" domain is a _valid_ authoritative zone on your configured forwarders there's no need to specify them separately in the "Query Forwarding" section as I suggested.
Unbound is very strict (for obvious reasons), you might want to check the _correct_ config of that zone as it also cname-ing to an active public contoso.com domain.

Tools like dnstracer, dnswalk or dnsrecon might help to get a view how things are resolved and delegated in your case. Might be that Unbound is blocking .test tld anyhow, see the OPNsense docs how to override the Unbound config with templates.

[rainerle]

In case you haven't heard of Contoso yet...
https://de.wikipedia.org/wiki/Contoso
I use that to replace our own organisations URLs...

The problem is surely the test tld and the handling of unbound of it. But I doubt that OPNsense will allow free text user customisations of it...

[netnut]

The problem is surely the test tld and the handling of unbound of it. But I doubt that OPNsense will allow free text user customisations of it...

You should use the template system for that: https://docs.opnsense.org/manual/unbound.html#advanced-configurations

Do some tweaking with the config entry:

Code: [Select]

# local-zone: "test." nodefault
https://datatracker.ietf.org/doc/html/rfc6761.html

[rainerle]

What the heck...
...first time I see the template system...
Instead of Custom options in the gui lets complicate the process and do not allow syncing to the HA partner automatically...

Looks like a step down to me...

[rainerle]

And the template system looks broken as well...

Code: [Select]

root@opnsense02:~ # configctl template reload custom/Unbound
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense02:~ # configctl unbound restart
OK
root@opnsense02:~ # cat /var/unbound/etc/custom_server_options.conf
cat: /var/unbound/etc/custom_server_options.conf: No such file or directory
root@opnsense02:~ #

A restart of Unbound just deletes the custom config file...

[rainerle]

But it works on the primary HA partner...

Code: [Select]

root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # cat /var/unbound/etc/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ #

Eieieiei, I am starting to loose my trust...

[Patrick M. Hausen]

The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.

[rainerle]

The configuration file in /var/unbound/... is generated from the one you are supposed to put in /usr/local/etc/unbound.opnsense.d.

As documented in the link posted by netnut.

I very much doubt that. Have a look at the generated config in use by unbound:

Code: [Select]

root@opnsense01:~ # ps aux | grep unbound
unbound 39061    0.0  1.0 356572 163636  -  Ss   18:11         0:02.11 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    38534    0.0  0.0  12748   2364  1  S+   18:14         0:00.00 grep unbound
root@opnsense01:~ # cat /var/unbound/unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python validator iterator"
num-threads: 16
msg-cache-slabs: 32
rrset-cache-slabs: 32
infra-cache-slabs: 32
key-cache-slabs: 32
auto-trust-anchor-file: /var/unbound/root.key



# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf

# Forwarding
forward-zone:
    name: "."
        forward-addr: 10.20.30.254
        forward-addr: 10.20.30.22
        forward-addr: 10.20.50.5
        forward-addr: 10.20.50.6


python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem
root@opnsense01:~ #


[Patrick M. Hausen]

The configctl system does that - Unbound doesn't know and doesn't care. Again, it's documented here:

https://docs.opnsense.org/manual/unbound.html#advanced-configurations

[rainerle]

Ok, I am sorry, you are right.

Code: [Select]

root@opnsense01:~ # cat /usr/local/opnsense/service/templates/custom/Unbound/+TARGETS
custom_server_options.conf:/usr/local/etc/unbound.opnsense.d/custom_server_options.conf
root@opnsense01:~ # rm /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # configctl template reload custom/Unbound
OK
root@opnsense01:~ # cat /usr/local/etc/unbound.opnsense.d/custom_server_options.conf
server:
    # Disable default NXDOMAIN for our internal test. TLD
    local-zone: "test." nodefault
root@opnsense01:~ # configctl unbound check
no errors in /var/unbound/unbound.conf
root@opnsense01:~ # configctl unbound restart
OK
root@opnsense01:~ # nslookup m.s.test 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
m.s.test        canonical name = test01.node.dev.contoso.com.
Name:   test01.node.dev.contoso.com
Address: 10.31.9.23

root@opnsense01:~ #
root@opnsense01:~ # ls -al /var/unbound/etc/custom_server_options.conf
-rw-r-----  1 unbound  unbound  100 Apr 15 18:40 /var/unbound/etc/custom_server_options.conf
root@opnsense01:~ # scp -r /usr/local/opnsense/service/templates/custom opnsense02:/usr/local/opnsense/service/templates/
custom_server_options.conf                                                                                                                                                                                                                            100%  101   316.8KB/s   00:00
+TARGETS                                                                                                                                                                                                                                              100%   88   299.2KB/s   00:00
root@opnsense01:~ #

And it now works on both nodes. I believe I first started using the directory in the +TARGETS file from the configuration - so on the primary it was already correct and in the proper place. That did not happen on the secondary - so there it was missing and then it failed after a proper restart...