Unbound Problems

Started by AndyX90, February 10, 2018, 09:05:38 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
February 10, 2018, 10:11:25 PM #15
Quote from: elektroinside on February 10, 2018, 09:21:57 PM
Windows clients append the domain suffix to hostnames, even if unqualified names are used (this is a feature called DNS devolution). So there are no "domain-name independent" names. Try nslookup from a client.
macOS clients hate .local domains.

If you don't have a DNS server that resolves the FQDN, or if you have multiple DNS servers and you did not configure the chain properly (forward lookups/DNS zones/root hints), or your domains are public domain names, you will have problems exactly as the ones you described (with the clients, can't say for sure if this happens from OPNsense itself). There's no way around that.

From my experience, it's an unrecommended design to override private domains, I personally never do. The right way to do it (IMO) is to query the DNS servers directly and configure correctly the forward lookups/root hints/DNS zones. The local DNS servers in question will also forward queries if they fail (for any reason) to resolve the query, ending up who knows where.

And there's the warning in OPNsense (attached image).
You don't understand me right.
I have about 25 different Firewalls in different domain environments. And this behaviour is on every opnsense firewall the same. Domain name doesn't matter.

Gesendet von meinem Pixel 2 XL mit Tapatalk

February 11, 2018, 12:52:51 AM #16
You don't understand me either, I guess. What I'm trying to say is that you should not override local domains at all from OPNsense. So you are doing it wrong on all 25 firewalls. So it doesn't matter if OPNsense has some freak unbound bug regarding local domain overrides, as you should not use local domain overrides at all.
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
February 11, 2018, 04:05:40 AM #17
Quote from: elektroinside on February 11, 2018, 12:52:51 AM
You don't understand me either, I guess. What I'm trying to say is that you should not override local domains at all from OPNsense. So you are doing it wrong on all 25 firewalls. So it doesn't matter if OPNsense has some freak unbound bug regarding local domain overrides, as you should not use local domain overrides at all.
I did try it on 3 firewalls now for testing. I want to use  the local override for single sign on with local override but i still want to use opnsense for caching DNS. My DC redirects to opnsense.

Gesendet von meinem Pixel 2 XL mit Tapatalk

Print
Go Up Pages 1 2
User actions