Unbound NS/SOA records for private domains

[eugenmayer]

I am using a public TLD for which i use the private-domain flag in unbound and also a domain override.

So lets assume it company.com - i use the namespace <namspace>.company.com as a internal domain, so internal.company.com. (Domain override in unbound).

The problem now is, that i am using a tool form ACME DNS-01 challenges which will do a dns lookup on the default DNS server ( OPNsense in this question ) searching for a NS record ( primary nameserver for company.com ) like

Code: [Select]

dig mysub1.internal.company.com NS
during the challenge. If it finds a NS record, it will poll the primary server for a TXT record created durin DNS-01- if it does not find a NS server it will fail.

Apperently with OPNsense + unbound + domain override that NS responses are all empty. I ask myself how could i potentially fix that.

So

Code: [Select]

dig mysub1.internal.company.com NS
and

Code: [Select]

dig internal.company.com NS are emt
are empty, since the domain override is on internal.company.com

Code: [Select]

dig company.com NS
will return the problem primary NS (public server)

Any hints on how to solve this?

[fabian]

NS records can be created in an advanced configuration. The configuration like looks like the one generated here in the code:
https://github.com/opnsense/core/pull/2097/files#diff-a89985242e1eea6a91d3e103e3353d5cR594

[eugenmayer]

thank you @fabian. Not sure what you refer to in the commit .. those things? https://github.com/opnsense/core/pull/2097/files#diff-a89985242e1eea6a91d3e103e3353d5cR584 .. Thanks

[eugenmayer]

for anybody running into that, use "typetransparent" instead of "transparent" in unbound

[random1104]

Sorry for the necroposting but feels relevant to the original quest, is this possible today?. I need SOA/NS records for the domain managed by the firewall, it's basically to emulate a "well behaved" authoritative DNS?

[random1104]

for the record, this is the way: https://docs.opnsense.org/manual/unbound.html#advanced-configurations

If running CARP, configuration should be done on both nodes.

[kd.gundermann]

I am having the same problem too, but neither switching to "typetransparent" in Unbound -> General
nor creating a Template with

Code: [Select]

server:
  private-domain: intern.mydomain.de
  private-domain: video.mydomain.de
allowes me to resolve SOA/NS records.

Reading the unbound docs:

private-domain: <domain name> Allow this domain, and all its subdomains to contain private addresses

I don't understand how this would enable/create SOA/NS records.

Am I missing something? How could I create SOA/NS records ?

[Maurice]

You have to create local-zone and local-data entries (see the unbound.conf man page). But please remember:

4. Non-Goals

• An authoritative name server
• Too many Features

https://www.nlnetlabs.nl/documentation/unbound/requirements/

Cheers
Maurice

[kd.gundermann]

Hi Maurice,

4. Non-Goals

• An authoritative name server

so what would you recommend ?? Installing os-bind as an authoritative name server on opnsense?
Do you know of any documentation how to configure bind together with unbound in OPNsense ?

Thank you very much
Klaus

[Maurice]

@kd.gundermann, depends on your use case. If you want an authoritative name server running on OPNsense itself, the BIND plugin is currently the go-to option. Or you run a name server on a separate machine (which is what I do).

There is some info about the BIND plugin in the official OPNsense docs, otherwise just search the forum.

Cheers
Maurice