Serving different WPADs per subnet with Unbound

Gertjan

@JonathanLee

This : Wpad for two networks ?

JonathanLee

@Gertjan yes I have a 192.168.1.0/24 network on an interface and a separate interface opt for 10.0.0.0. Each network I want to set up a host override with that points to a different wpad. Thanks for the reply

something like this

# View for LAN (192.168.1.0/24)
view:
    name: "lanview"
    view-first: yes
    match-clients: 192.168.1.0/24
    local-zone: "wpad.home.arpa." static
    local-data: "wpad.home.arpa. 3600 IN A 192.168.1.6"     # Active proxy WPAD
    local-data: "wpad.home.arpa. 3600 IN AAAA 2001:470:8052:a::6"
    local-data: "proxy.home.arpa. 3600 IN CNAME wpad.home.arpa."
    local-data: "wpad.local. 3600 IN CNAME wpad.home.arpa."
    local-data: "wpad.internal.local. 3600 IN CNAME wpad.home.arpa."

# View for Guest (10.0.0.0/24)
view:
    name: "guestview"
    view-first: yes
    match-clients: 10.0.0.0/24
    local-zone: "wpad.home.arpa." static
    local-data: "wpad.home.arpa. 3600 IN A 10.0.0.2"        # Dummy WPAD (direct connect)
    local-data: "wpad.local. 3600 IN CNAME wpad.home.arpa."
    local-data: "wpad.internal.local. 3600 IN CNAME wpad.home.arpa."

# Default server options
server:
    do-not-query-localhost: no
    private-domain: "home.arpa"
    private-domain: "local"
    private-domain: "internal.local"
    dns64-ignore-aaaa: ichnaea-web.netflix.com
    dns64-ignore-aaaa: logs.netflix.com
    dns64-ignore-aaaa: netflix.com
    dns64-ignore-aaaa: netflix.net
    dns64-ignore-aaaa: nflxext.com
    dns64-ignore-aaaa: nflxso.net
    dns64-ignore-aaaa: nflxvideo.net
    dns64-ignore-aaaa: www.netflix.com
    dns64-ignore-aaaa: google.com
    dns64-ignore-aaaa: googleapis.com
    dns64-ignore-aaaa: tubi.io
    dns64-ignore-aaaa: tubitv.com
    dns64-ignore-aaaa: tubi.video
    dns64-ignore-aaaa: youtube.com
    dns64-ignore-aaaa: www.youtube.com
    dns64-ignore-aaaa: googlevideo.com

but it does not work match-clients does not work

The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/unbound.conf:128: error: unknown keyword 'match-clients' /var/unbound/test/unbound.conf:128: error: stray ':' /var/unbound/test/unbound.conf:128: error: unknown keyword '192.168.1.0/24' /var/unbound/test/unbound.conf:140: error: unknown keyword 'match-clients' /var/unbound/test/unbound.conf:140: error: stray ':' /var/unbound/test/unbound.conf:140: error: unknown keyword '10.0.0.0/24' read /var/unbound/test/unbound.conf failed: 6 errors in configuration file

johnpoz

@JonathanLee said in Serving different WPADs per subnet with Unbound:

match-clients: 192.168.1.0/24

where did you come up with that entry.. It has been quite some time since I have looked into doing views, and what might have changed with newer version on unbound the latest versions of pfsense could be running - but I do not recall that option being part of them?

match-clients is a Bind thing I believe - not a unbound option.. did you try and get some AI nonsense chatbot to write the code for you? Those things are on drugs or something - they hallucinate shit all the time!!!

I wouldn't ask them for the time of day, cause 9 out of 10 times they would get it wrong ;)

JonathanLee

@johnpoz you got me AI answer ...
I change the dhcp to a guest. and set the host entries for that and it seems to work. hahah so my home.arpa is now the main, and guest.arpa is the guest with dhcp but there has to be a way to lock it down per subnet in unbound right?

There so many options in unbound I could sit and read unbound’s website for a month and still not find the option I need.

johnpoz

@JonathanLee All of the info you needed with examples are in the thread that @Gertjan pointed too.. I went into great detail helping that poster..

And you don't need need to read their full manual - just look

https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html

Gertjan

@JonathanLee said in Serving different WPADs per subnet with Unbound:

There so many options in unbound I could sit and read unbound’s website for a month and still not find the option I need.

Lol, no way.
Netgate decided (imho) to use use unbound for 3 reasons :
dnsmasq (a simple, "feather weight" forwarder, and is still present) was disabled as 'dumb' forwarding to your ISP DNS is something of the past.
unbound is a "light weight" resolver, which mans pfSense (so you !) can now tap into the official DNS as it was designed last century.
Because it's a resolver, it can do DNSSEC.

The config file, typically one file, /var/unbound/unbound.conf isn't that hard to understand.
Read this (your !) file, get every line, and look up every 'command' up in the manual : https://nlnetlabs.nl/documentation/unbound/unbound.conf/
I didn't print this file, but I guess it's 10 pages or so.
Of course, there are more options mentioned, as 'people' always want that "extra thing". Open source solutions always tend to become bloated.
One of the reasons ISC decided to re write world's most famous DHCP server was because to much was added all over the place for the last 2, 3 decades, and for this very reason they decided to re-create a DHCP server from scratch : it's called "kea".

Compare this one file with the help documentation of bind.
bind is ..... bigger then huge, and that's one of the reasons Netgate didn't use bind instead of unbound.
bind can do way more ... read, for example, this.
The thing is, all these config files are normally created by you, the admin, with a text editor, one by one, the old school way of doing things.
pfSense is GUI based, so the GUI would have to maintain all these files for you.
Writing a GUI that is easy to understand (for those who don't no sh*t about DNS) is even today, 20525, mission impossible.
Like a GUI front end for server applications apache2, nginx, postfix, mariadb, and the worst of them all (imho) radius : it can't and shouldn't be done.

JonathanLee

This was what worked for me. I had issues with what went where took a couple tries. I have both working now. The dns64 lines are for Netflix not liking the HE ipv6 tunnel

#======================
# Server-wide settings
#======================
server:
    do-not-query-localhost: no
    private-domain: "home.arpa local internal.local guest.arpa"

    # DNS64 exceptions
    dns64-ignore-aaaa: ichnaea-web.netflix.com
    dns64-ignore-aaaa: logs.netflix.com
    dns64-ignore-aaaa: netflix.com
    dns64-ignore-aaaa: netflix.net
    dns64-ignore-aaaa: nflxext.com
    dns64-ignore-aaaa: nflxso.net
    dns64-ignore-aaaa: nflxvideo.net
    dns64-ignore-aaaa: www.netflix.com
    dns64-ignore-aaaa: google.com
    dns64-ignore-aaaa: googleapis.com
    dns64-ignore-aaaa: tubi.io
    dns64-ignore-aaaa: tubitv.com
    dns64-ignore-aaaa: tubi.video
    dns64-ignore-aaaa: youtube.com
    dns64-ignore-aaaa: www.youtube.com
    dns64-ignore-aaaa: googlevideo.com

    # Map clients to views
    access-control-view: 192.168.1.0/24 lanview
    access-control-view: 10.0.0.0/24 guestview

#======================
# WPAD views
#======================

# LAN WPAD
view:
    name: "lanview"
    local-zone: "wpad.home.arpa." static
    local-data: "wpad.home.arpa. 3600 IN A 192.168.1.6"
    local-data: "LEE_pfSense.home.arpa. 3600 IN A 192.168.1.2"
    local-data: "lee_family.home.arpa. 3600 IN A 192.168.1.1"

# Guest WPAD
view:
    name: "guestview"
    local-zone: "wpad.guest.arpa." static
    local-data: "wpad.guest.arpa. 3600 IN A 10.0.0.2"

johnpoz

@JonathanLee guest.arpa - it really should be guest.home.arpa. .arpa was not set a special use tld.. The domain home.arpa was set

If you want to use any domain name you want with tld, then use the special use tld .internal

I don't think its been fully approved as of yet, but believe an rfc has been submitted.. But guest.arpa for sure is not a special use domain.

JonathanLee

@johnpoz said in Serving different WPADs per subnet with Unbound:

uest.arpa - it really should be guest.home.arpa. .arpa was not set a special use tld.. The domain home.arpa was set

If you want to use any domain name you want with tld, then use the special use tld .internal

I don't think its been fully approved as of yet, but believe an rfc has been submitted.. But guest.arpa for sure is not a special use domain.

thanks for the reply fixed it to guest.home.arpa

Gertjan

@JonathanLee said in Serving different WPADs per subnet with Unbound:

for Netflix not liking the HE ipv6 tunnel

That was also solved with the help of pfBlockerng :

and enter all the domain names you don't want to be resolved as AAAA, only A.
In my he.net days, this worked very well.