Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound, Domain override - non recursive query

    DHCP and DNS
    1
    2
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Vetal
      last edited by

      I have a few pfSense based nets linked via OpenVPN

      [Site_A] => [OpenVPN on VPS] <= [Site_B]

      Though, there are more sites connected as a spokes of the wheel

      What I had before is each Site had a domain override, leading to other pfSense box DNS:

      Site_A DomainOverride: [Domain_B:IP_of_B], [Domain_C:IP_of_C] …
      On human language, "for Domain B go to Site B", ... where each site is pfSense box with Unbound DNS

      That worked

      Now I decided to install Unbound DNS on central server, where OpenVPN resides. So, all overrides refer to VPN IP with Unbound (Ubuntu) listening on it.
      E.g., everybody requests DNS on VPN, which further refers to proper Authorative DNS.

      Problem is, Unbound in pfSense nadles DomainOverride with stub-zone. Which expects an Authorative DNS on zone override IP.

      Basically, if I go to machine A, sitting behind pfSense A and ask host_B, behind pfSense B, it won't be allowed by central VPN DNS (Unbound) unless two things:

      1. I have ACL for pfSense_A VPN IP as "allow_snoop"
      2. Site B info about this host is still in the cache on central DNS

      So Domain Override won't go recursive

      If I just do on A:
      nslookup host_b.domain_b ip_of_vpn_server

      it works fine, since call is recursive

      Is there a way to tell Unbound on pfSense to do a recursive call instead? Or handle it somehow on central Unbound (Ubuntu)
      I am rather new to Unbound. Tried to place a forward zone to "Advanced" section of pfSense like

      forward-zone:
              name: "site_B"
              forward-addr: <ip_of_vpn_server>Didn't help.

      I need this central DNS schema for 2 reasons:

      1. To provide DNS for whole private net in case of road warrior (no pfSense). OpenVPN just push <ip_of_vpn_server>and domain search list for every internal domain
      2. Centralized DNS management</ip_of_vpn_server></ip_of_vpn_server>

      1 Reply Last reply Reply Quote 0
      • V
        Vetal
        last edited by

        Just enlightened while posted and added private/insecure part like:

        server:
private-domain: "site_B_domain"
domain-insecure: "site_B_domain"

forward-zone:
        name: "site_B_domain"
        forward-addr: <central_vpn_ip></central_vpn_ip>

        And it worked.

        Though, is it right way of doing things?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.