unbound and localhost



  • I become crazy, is someboy can help me ?

    With the Forwarder service enabled I can request the pfsense DNS from my LAN PC..
    If I disable Forwarder and enable the more modern Resolver I become unable to request the DNS.

    That's because Resolver obliged me to select localhost as the LAN interface.

    How can I select the LAN interface inside the Resolver or declare the localhost as the LAN interface ?

    The option is to use the Forwarder instead of the Resolver.

    Olivier


  • LAYER 8 Global Moderator

    Huh?

    If snake it would of bit you, out of the box it listens on all interfaces.

    interface.jpg



  • When I select All or Localhost + LAN I'm unable to query the DNS.
    nslookup return "Query refused"

    A rule or NAT issue ?


  • LAYER 8 Global Moderator

    Well localhost is not going to be able to answer queries from your networks. You would have to listen on the interface your query is coming in on.

    If you turned off automatic ACLs, or your from a downstream network you would have to all for that - that would be why you would get refused.. Refused means it saw your query, so its listening on the interface your talking to too - but the ACLs doesn't allow your source IP.

    acls.jpg



  • >You would have to listen on the interface your query is coming in on.
    LAN interface is enabled, and all others are disabled.

    Based on your advice I checked “Disable Auto-added ACL”
    I created an allow ACL.
    And now it works. Great, thank you so much.

    But I would like to understand two things.

    Why did I have to create my own ACL ?
    Did I delete a default ACL by mistake?

    Why can’t “unbound” be associated with LAN interface but only with All and/or Localhost ?
    I only have a LAN interface so ALL means LAN ?


  • LAYER 8 Global Moderator

    Is your network downstream. The automatic alcs only allow locally attached networks.

    Why can’t “unbound” be associated with LAN interface but only with All and/or Localhost ?

    Huh? It can be bound to any interfaces you want to listen on, as you saw in my screenshot, I have specific interfaces selected.



  • @gonn said in unbound and localhost:

    I only have a LAN interface so ALL means LAN ?

    ??
    All means all interfaces.

    This is the perfect, secure and default siltation that works out of the box :

    72f1b7fd-8362-4a05-bfdb-8a3359bfe850-image.png

    Btw : with the Ctrl key you can select several interfaces if you do not want All for some reason.


  • LAYER 8 Global Moderator

    Not sure I would call it "perfect" listening on interfaces that have no reason to listen. But it is the best solution to make sure it works out of the box ;) And it will work just fine for most users.



  • Exact, "Perfect" in a sense that it will make things work.
    From this point, one can start breaking things down ^^



  • When I only select LAN interface I have this message :

    81b56c93-9339-4498-91fe-bb47b1ae0b54-image.png


  • LAYER 8 Global Moderator

    If pfsense is going to use localhost, then yes you have to listen on it.. Or pfsense would have no dns.



  • I must selected Localhost + whatever interfaces I want.
    But I can't select only LAN interface.

    It musty be a requirement of unbound.

    Why I was obliged to create my own ACL ?


  • LAYER 8 Global Moderator

    @gonn said in unbound and localhost:

    Why I was obliged to create my own ACL ?

    No idea - I do it on purpose for my needs.

    You haven't stated what was the source IP trying to query, if downstream and not a locally attached network, then the automatic ACLs would not work..



  • Anyway... a great Merci :-)


Log in to reply