unbound and localhost
-
When I select All or Localhost + LAN I'm unable to query the DNS.
nslookup return "Query refused"A rule or NAT issue ?
-
Well localhost is not going to be able to answer queries from your networks. You would have to listen on the interface your query is coming in on.
If you turned off automatic ACLs, or your from a downstream network you would have to all for that - that would be why you would get refused.. Refused means it saw your query, so its listening on the interface your talking to too - but the ACLs doesn't allow your source IP.
-
>You would have to listen on the interface your query is coming in on.
LAN interface is enabled, and all others are disabled.Based on your advice I checked “Disable Auto-added ACL”
I created an allow ACL.
And now it works. Great, thank you so much.But I would like to understand two things.
Why did I have to create my own ACL ?
Did I delete a default ACL by mistake?Why can’t “unbound” be associated with LAN interface but only with All and/or Localhost ?
I only have a LAN interface so ALL means LAN ? -
Is your network downstream. The automatic alcs only allow locally attached networks.
Why can’t “unbound” be associated with LAN interface but only with All and/or Localhost ?
Huh? It can be bound to any interfaces you want to listen on, as you saw in my screenshot, I have specific interfaces selected.
-
@gonn said in unbound and localhost:
I only have a LAN interface so ALL means LAN ?
??
All means all interfaces.This is the perfect, secure and default siltation that works out of the box :
Btw : with the Ctrl key you can select several interfaces if you do not want All for some reason.
-
Not sure I would call it "perfect" listening on interfaces that have no reason to listen. But it is the best solution to make sure it works out of the box ;) And it will work just fine for most users.
-
Exact, "Perfect" in a sense that it will make things work.
From this point, one can start breaking things down ^^ -
When I only select LAN interface I have this message :
-
If pfsense is going to use localhost, then yes you have to listen on it.. Or pfsense would have no dns.
-
I must selected Localhost + whatever interfaces I want.
But I can't select only LAN interface.It musty be a requirement of unbound.
Why I was obliged to create my own ACL ?
-
@gonn said in unbound and localhost:
Why I was obliged to create my own ACL ?
No idea - I do it on purpose for my needs.
You haven't stated what was the source IP trying to query, if downstream and not a locally attached network, then the automatic ACLs would not work..
-
Anyway... a great Merci :-)