Wildcard host override with DNS Resolver (unbound)
-
Hi everyone!
How can I set up dns host overrides with wildcards using the default DNS Resolver (unbound)?
I've tried the advanced settings for the old DNS Forwarder (dnsmasq), mentioned here:
https://forum.pfsense.org/index.php?topic=43835.0This does not seem to work - nothing gets resolved anymore at all. And setting up a specific host-override for abc.com (leaving host blank) will not override www.abc.com or 123.abc.com.
Any ideas except for turning off DNS Resolver and using DNS Forwarder instead?
By the way: Where does pfsense store it's unound-config so I can try editing it on the shell and figure out wildcards there?
Thanks everyone!
Dan -
redirect The query is answered from the local data for the zone name. There may be no local data beneath the zone name. This answers queries for the zone, and all subdomains of the zone with the local data for the zone. It can be used to redirect a domain to return a different address record to the end user, with local-zone: "example.com." redirect and local-data: "example.com. A 127.0.0.1" queries for www.exam- ple.com and www.foo.example.com are redirected, so that users with web browsers cannot access sites with suffix exam- ple.com.So, you can try something like this in advanced config:
server: local-zone: "abc.com" redirect local-data: "abc.com 3600 IN A 192.0.2.1" -
So per dok instructions.. there you go
root@ubuntu:~$ dig abc.com +short
192.0.2.1
root@ubuntu:~$ dig www.abc.com +short
192.0.2.1
root@ubuntu:~$ dig something.www.abc.com +short
192.0.2.1
root@ubuntu:~$ dig other.something.www.abc.com +short
192.0.2.1
root@ubuntu:~$looks like wildcard to me.
Removed and back to normal
root@ubuntu:~$ dig abc.com +short
199.181.132.250
root@ubuntu:~$ dig www.abc.com +short
abc.com.
199.181.132.250
root@ubuntu:~$ -
Well, thanks for testing that (and no thanks to the OP for not even bothering to post a beep… >:() Perhaps someone might update the locked sticky so that it accounts for unbound as well?
-
Thank you so much guys for figuring this out and testing it.
I'm truly sorry for not answering sooner!Best regards!
-
nevermind.
I was asking what the IN was, I found out.The optional Class option.
-
@doktornotor Thank you, this was very helpful!
My OpenVPN clients couldn't reach my nginx reverse proxy despite the general NAT reflection policy (System > Advanced > Firewall & NAT), which worked just fine from the LAN.
So I was just about to follow the officially recommended split DNS way and enter a bunch of host overrides in Services > DNS Resolver, when I found your wonderfully elegant solution!
