Issues with Unbound overrides

[mightyi]

I have been a happy user of Opnsense for many years on my home network, having migrated from Sophos.
I recently upgraded to 26.1 and was trying to add an alias for a pod container on my management VLAN so it was accessible on my default internal VLAN, but it refused to work no matter what. It was then I noticed another issue - none of my wilcard overrides worked either!
After a breach a number of years ago where someone used an anydesk hack I have locked down any remote control domains by redirecting them to 127.0.0.1 and blocking/redirecting DNS to anything other than the firewall to stop manual intervention. This has always worked great, but in recent months I've had issues with a couple of my aliases not working as they should - and finally got round to fixing this week.
No matter what I do I cannot get the overrides to work properly, they work on the firewall locally, but trying lookup from a client machine always results in the apex and www for the domains directing to the actual ip addresses. Initially, it appeared that blacklisting was causing client to ignore the overrides because they were completely ignored; I manually deleted all the unbound xonfig, deleted from the template and reinstalled it. This cured a lot of the issues, but still www and apex refuse to resolve to 127.0.0.1 from a client.
Working with Claude it had me try a lot of things and could only conclude that it couldn't really be done in 26.1.x - which I can't believe!  I even tried adding manual blocklists config files, which resulted in exactly the same problem.


Can anyone offer any advice of the workaround for this? It appears since the revamp of Unbound, functionality is broken for overrides; I'm using ISC DHCP and it integrates well with Unbound, so don't really want to start moving to Kea dhcp as it doesn't have the same integrations.

[lmoore]

No matter what I do I cannot get the overrides to work properly, they work on the firewall locally, but trying lookup from a client machine always results in the apex and www for the domains directing to the actual ip addresses.

My two-bobs worth - I expect you've been down this path!

If the client machines are showing different responses to the same query, flush the DNS cache on the client machines and test again.

If the problem persists, check to make sure the DNS server being queried on the client machine is the same one you're querying on the firewall.

[mightyi]

Thanks for the reply - always worth suggesting the obvious stuff sometimes as we all miss that sort of thing going down rabbit holes :)

I have performed the usual ipconfig /flushdns on the windows clients, and ensured the DNS server is the firewall itself. unfortunately it still behaves wrongly!

Running the nslookup debug switch seems to show it completely bypassing the firewall DNS and going straight out to Cloudflare DNS (what the firewall nameservers are set to):
C:\Users\Ian>nslookup -d
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        1.100.50.10.in-addr.arpa, type = PTR, class = IN
    AUTHORITY RECORDS:
    ->  10.in-addr.arpa
        ttl = 10800 (3 hours)
        primary name server = localhost
        responsible mail addr = nobody.invalid
        serial  = 1
        refresh = 3600 (1 hour)
        retry   = 1200 (20 mins)
        expire  = 604800 (7 days)
        default TTL = 10800 (3 hours)

------------
Default Server:  UnKnown
Address:  10.50.100.1

> teamviewer.com
Server:  UnKnown
Address:  10.50.100.1

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        teamviewer.com.int.intlan.uk, type = A, class = IN
    AUTHORITY RECORDS:
    ->  intlan.uk
        ttl = 1800 (30 mins)
        primary name server = maria.ns.cloudflare.com
        responsible mail addr = dns.cloudflare.com
        serial  = 2401961462
        refresh = 10000 (2 hours 46 mins 40 secs)
        retry   = 2400 (40 mins)
        expire  = 604800 (7 days)
        default TTL = 1800 (30 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        teamviewer.com.int.intlan.uk, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  intlan.uk
        ttl = 1800 (30 mins)
        primary name server = maria.ns.cloudflare.com
        responsible mail addr = dns.cloudflare.com
        serial  = 2401961462
        refresh = 10000 (2 hours 46 mins 40 secs)
        retry   = 2400 (40 mins)
        expire  = 604800 (7 days)
        default TTL = 1800 (30 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        teamviewer.com, type = A, class = IN
    ANSWERS:
    ->  teamviewer.com
        internet address = 52.223.21.92
        ttl = 86400 (1 day)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        teamviewer.com, type = AAAA, class = IN
    ANSWERS:
    ->  teamviewer.com
        AAAA IPv6 address = 2600:9000:a61f:6da7:367b:7826:b8c1:d0a8
        ttl = 86400 (1 day)

------------
Name:    teamviewer.com
Addresses:  2600:9000:a61f:6da7:367b:7826:b8c1:d0a8
          52.223.21.92

>