Per interface DNS Forwarder configuration
-
That does not seem to be the case with unbound. It's smart enough to use the right data for local views. Remote hosts are probably from the cache but I haven't double checked that.
In the Unbound advanced options:
server: access-control-view: 10.6.0.1/32 viewa access-control-view: 10.6.0.10/32 viewb view: name: "viewa" local-zone: "example1.com." static local-data: "test1.example1.com. 90 IN A 1.1.1.1" view: name: "viewb" local-zone: "example1.com." static local-data: "test1.example1.com. 90 IN A 10.10.10.10"From 10.0.6.1:
: host test1.example1.com 10.6.0.1 Using domain server: Name: 10.6.0.1 Address: 10.6.0.1#53 Aliases: test1.example1.com has address 1.1.1.1From 10.6.0.10:
% host test1.example1.com 10.6.0.1 Using domain server: Name: 10.6.0.1 Address: 10.6.0.1#53 Aliases: test1.example1.com has address 10.10.10.10 -
That works yes - that is LOCAL data..
local-zone: "example1.com." static
local-data: "test1.example1.com. 90 IN A 1.1.1.1"But if you just forward view A to NS1, and forward view B to NS2... your cache of those records is shared.
-
@johnpoz said in Per interface DNS Forwarder configuration:
That works yes - that is LOCAL data..
Which is what OP wants.
I need to configure different Host/Domain overrides based on OpenVPN interface.
-
NO that is not what he wants..
I need to configure different Host/Domain overrides based on OpenVPN interface.
A domain override points to another NS...
If all he has is local data on unbound, and does not point to another NS to resolve these sub1.domain.tld and sub2.domain.tld then yes he is fine... Be has clearly called out domain overrides which are not local data. They are forwards to a different NS.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@gvecchi said in Per interface DNS Forwarder configuration:
@jimp thanks for your info. Why are you calling the DNS Forwarder as "old"?
Forgot to address this. The DNS Forwarder service (
dnsmasq) used to be the default, but it's not the default any more. The DNS Resolver (unbound) is the current default and what we recommend everyone use. It's more secure, and has more flexibility/capability. We've considered removing the DNS Forwarder but it still has some features people like which are not in the DNS Resolver. Since the DNS Forwarder is no longer the default, it doesn't receive the same level of attention or development work the DNS Resolver does. -
@johnpoz said in Per interface DNS Forwarder configuration:
NO that is not what he wants..
I need to configure different Host/Domain overrides based on OpenVPN interface.
A domain override points to another NS...You're reading the words they wrote too literally. Based on their later replies they only want host overrides or to override responses for certain domains, not forwarding to other DNS servers.
-
Sorry if I read what they wrote as they wrote it... He clearly lists both host and domain.
I have been clear that if the data is local its fine - but that is NOT what a domain override is.. Which he clearly stated he needed.
-
Their other reply:
I have an internal domain, let's say domain.tld, and several sub-domains, let's say sub1.domain.tld, sub2.domain.tld and sub3.domain.tld,,: the goal is that clients from OpenVPN connection #1 will be able to resolve each subdomain and clients from OpenVPN connection #2 will be able to resolve only sub1.domain.tld while for domain.tld, sub2.domain.tld and sub3.domain.tld an empty response is expected.
Nowhere does it mention alternate DNS servers. Everything they mentioned was local data.
-
Well then why did he call out domain overrides for??
If your not doing domain overrides then yes this works fine.
-
Probably because they don't know the exact terminology. *shrug*
-
Also worth noting that unbound doesn't appear to support views for forward-zones, only local data: https://nlnetlabs.nl/documentation/unbound/unbound.conf/
I tried it just to see if it worked and it didn't respect the directives but it also didn't generate any errors.
-
All true ;) I jumped on the Forwarder and domain overrides statements.
And correct unbound does not balk at entries in the views for a forward.. Never validated that it wouldn't actual use them or not ;)
The problem comes down to the same thing when you are in forwarder mode and forward to different NS.. Say one that filters and one that doesn't - because the cache is shared.. Which is why when you forward - you have to make sure where you forward those NS will return the data in the same way.. And has access to the same data set, be it the public internet dns, or local internal dns or filtered or not filtered - they need to use the same filtering, etc.
Glad that is all sorted out ;)
-
Hi guys,
thanks for your interest in my question and I'm really sorry if I hadn't use the terminology in a correct way (also sorry for my bed english).
First of all, I'm running pfSense 2.4.2-RELEASE-p1.
As previously said, the goal is that clients from different OpenVPN connection will be able to resolve internal root domain, subdomains and hosts or part of them; currently, to achieve that goal (only on one OpenVPN connection, that's the reason of this post), I'm using DNS Forwarder and Host/Domains overrides in this way:- DNS Query Forwarding - Query DNS servers sequentially -> flagged, in order to forward every query to internal DNS servers (they all are authoritative ones for internal domains/sudomains)
- for hosts and subdomains that clients are allowed to resolve, no override is configured
- for subdomains and their "children" hosts that clients are NOT allowed to resolve, Domain override is in place for subdomain only and destination ip is set to "!"
- for hosts that clients are allowed to resolve even when a domain override is in place for their "parent" subdomains, Host override is in place with local data (manually "mirroring" internal DNS data) -> this is a very special configuration and I'm going to configure it only for few hosts.
Why I need this configuration? Because most of OpenVPN clients are not "people" but "machine" and I need to ensure as little data exfiltration as possible in case of their compromisation.
I can consider using DNS Resolver if the final scenario is not supported by DNS Forwarder or if it will do a better job.
Thanks again!
