Fetch unbound config (whitelist domains) from central source
-
I am trying to create a system to keep multiple pfsense boxes synchronized. I have a secure server and have cron working with fetch to get the file from the central server. Cron is also issuing a restart to the unbound service after the fetch completes.
All of that I already have working, but my problem is that the gui doesn't seem to recognize the change in the unbound.conf file and doesn't show changes custom options section where I have domains that need to be whitelisted.
I am guessing that the pfsense gui maintains its own file that gets parsed and pushed into the unbound.conf.
How can do this differently so that both sources are updated?
-
How are you whitelisting domains in the unbound.conf ?? Pretty familiar with unbound - there is no native whitelist/blacklist functionality ;)
do you mean your whitelisting them for caps-id for those that do not support 0x20??
caps-whitelistOr your doing something with setting some domains to transparent or local or redirect, guest you could redirect for . to something and then set different domains to like transparent or something..
Yeah doing anything direct with conf files is normally not going to go well with pfsense, since pretty everything from a config standpoint is in the xml.. You would have to manually manipulate the xml with the info you want to be placed into some service that pfsense controls like unbound, etc.
You might have better luck if your wanting to do stuff like this having your clients use some other dns that is easier to manipulate directly.. Whitelist/blacklist - pi-hole comes to mind as easy way to do that sort of thing. pfblocker might be useful - not sure if it has a way to sync configs between pfsense. But reach out to bcan, if it doesn't already have such a feature he might be up to adding such feature, etc.
-
Or your doing something with setting some domains to transparent or local or redirect, guest you could redirect for . to something and then set different domains to like transparent or something..
What you mention here is what I'm doing. My configs at the sites are all different enough that I have to find a solution that allows me to manage the parts that are the same across all locations centrally. This one is the best target because it is also the one that changes the most frequently.
I've got about 25 sites so far and will be growing to 80+ sites that need this whitelist updated frequently.
I don't mind keeping a central version of the domains that I can then massage into the xml. A central copy of the entire unbound.conf file is very easy to understand and also to edit without borking it. Not sure that will be the case with the xml.
How would I get the system to see the changes after cron pulls in an updated xml and runs a tool to massage it in. I'm aware I would use sed in linux, but not sure I have those tools in pfsense.
-
Bump any idea on the above question (previous post?)
-
Yeah, the idea is to add XMLRPC sync to Unbound (syncing only the things you are interested in).
-
I apologize if I'm a little lost. Are you saying that is what I need to use?
Is this a tool that is already part of pfsense, or a package that I add, or a wish list item that is coming down the pipe?
-
XMLRPC yes. Unbound sync - no. Should be easy to get coded if you need it, using some of the packages as example. E.g.:
https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid_sync.xml
https://github.com/pfsense/FreeBSD-ports/blob/devel/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc#L2168
