Configuring Unbound DNS for Multi-Subnet Proxy Access via NGINX

[foss-johnny]

Hi all,

If I have multiple LAN subnets, and I want my clients in each subnet to be able to resolve/route to NGINX running on OPNSense, and then NGINX forwards to a server IP running in a DMZ subnet, what is the correct way to configure the DNS.

Do you setup a single Unbound DNS override entry to point to a single LAN gateway that you designate for NGINX, or do you somehow setup each LAN to have the DNS name of the server resolve to their respective LAN Gateway interfaces? 

[foss-johnny]

Bump.

Any advice would be appreciated.

I was thinking to perhaps create a new VLAN  and use VIP's for any service hosted on the OPNsense itself.

Is this the right design approach or should a different design be used?

[Monviech (Cedrik)]

You can use the external IP address of the OPNsense, split DNS is not necessary. Just normal external A records will be enough since the OPNsense will listen on this external IP address via a socket (if nginx is bound to it or *(any) interface). The default route of all clients sends the traffic to the OPNsense anyway.

Otherwise just use any IP of the OPNsense and Unbound for a Host override. Just make sure the firewall rules allow access.