Unbound Problems

[AndyX90]

Hey guys,

i have strange problems with unbound and domain overrides.
I have configured a local domain override with xxx.local pointing to my domain controller and a reverse override also pointing on my domain controller.
If i check the resolution via Interfaces-Diagnostics-DNS Lookup it resolves the ip only on each 3rd or 4th try.
Attached some screens.
EDIT: I read somewhere that unbound could have problems with domains named *.local?

Thanks for help!

[astrandb]

Try to enter following in Custom options in Unboud settings:

Code Select Expand


server:
domain-insecure: "yourdomain.local"


[AndyX90]

I did that, but the same behaviour.
If i click DNS-Lookup it resolves, but if i do it 5 times, it resolves 3 or 4 correct and the rest not.
So it's a ~50% chance...

[astrandb]

You could also try to restrict Outgoing network interfaces to LAN only.

[AndyX90]

That would not be my favor. I want to use unbound as dns-resolver for internet-requests too.

[astrandb]

When I look deeper I have similar problem.
I also have domain override for a .local domain. DNS lookup never fails when I do it from a connected pc or Linux client. However, when I test from the console on one of my OPNsense boxes I also get intermittent failures.

Code Select Expand

drill host.mydomain.localFails 25-75% of tries

Code Select Expand

drill @192.168.16.1 host.mydomain.local Works every time

Code Select Expand

drill ikea.comWorks every time

Something odd is going on.

[AndyX90]

Yeah i have multiple machines and the problem occurs on each of them..

Btw. my other domains don't end with .local.

Gesendet von meinem Pixel 2 XL mit Tapatalk

[elektroinside]

Why don't you configure your DHCP clients (from OPNsense DHCp server, assuming that's what you are using) to use the domain DNS server, and the DNS server on the DC (or wherever it is) to forward queries to OPNsense?

[advcron]

What about configure dnsmasq to forward ad domain to dc?

Wysłane z mojego Mi-4c przy użyciu Tapatalka

[AndyX90]

Why don't you configure your DHCP clients (from OPNsense DHCp server, assuming that's what you are using) to use the domain DNS server, and the DNS server on the DC (or wherever it is) to forward queries to OPNsense?

I want the Firewall itself to resolve my internal stuff..
My DC is DHCP and DNS Server.

Gesendet von meinem Pixel 2 XL mit Tapatalk

[elektroinside]

I want the Firewall itself to resolve my internal stuff..
My DC is DHCP and DNS Server.

Gesendet von meinem Pixel 2 XL mit Tapatalk

Did you configure the same domain in OPNsense?

[AndyX90]

I want the Firewall itself to resolve my internal stuff..
My DC is DHCP and DNS Server.

Gesendet von meinem Pixel 2 XL mit Tapatalk

Did you configure the same domain in OPNsense?

Yes.

Gesendet von meinem Pixel 2 XL mit Tapatalk

[elektroinside]

Strange.. I don't have a .local domain (I have another one), and initially I had your setup (which worked perfectly), then I switched to the one I mentioned in my previous comment (also works perfectly, and I actually threw in a Pi-hole as well as an added bonus)... I'm highly dependent on a good DNS chain as I use (and enforce) smart card authentication. It never failed on me.. Sorry to hear you are having problems.

[AndyX90]

It is domain-name independent. For example on other machines i have domains named *.lan or *.localdomain and the behaviour is the same :-/

Gesendet von meinem Pixel 2 XL mit Tapatalk

[elektroinside]

Windows clients append the domain suffix to hostnames, even if unqualified names are used (this is a feature called DNS devolution). So there are no "domain-name independent" names. Try nslookup from a client.
macOS clients hate .local domains.

If you don't have a DNS server that resolves the FQDN, or if you have multiple DNS servers and you did not configure the chain properly (forward lookups/DNS zones/root hints), or your domains are public domain names, you will have problems exactly as the ones you described (with the clients, can't say for sure if this happens from OPNsense itself). There's no way around that.

From my experience, it's an unrecommended design to override private domains, I personally never do. The right way to do it (IMO) is to query the DNS servers directly and configure correctly the forward lookups/root hints/DNS zones. The local DNS servers in question will also forward queries if they fail (for any reason) to resolve the query, ending up who knows where.

And there's the warning in OPNsense (attached image).