Unbound DNS questions - new member
-
Hello everyone,
I am planning to use pfSense with Unbound DNS sometime in next few months. There is a shortage of APU2E4 boards everywhere. Back order.
I currently run Unbound DNS as primary DNS on custom Asus Merlin firmware and it has been a solid solution. My network needs are evolving and with that my plan is to use pfSense and Unbound later on this year.
I am managing Unbound RPZ (Response Policy Zone) files manually and perform a refresh using my own custom shell script - many of these are not truly RPZ so the script needs to make a proper conversions when necessary. All my RPZ files are declared in a separate unbound.conf.rpz file which is than included in main unbound.conf file.
I would like to replicate my current setup in pfSense. Including my own unbound.conf.rpz into Unbound should be no issue. My own script reads the unbound.conf.rpz and automates few things;
- It will converts a domain files (and other formats) into proper standard RPZ format.
- It checks Last-Modified date from the provider feed before performing file download and RPZ refresh.
I'd like to keep the script and use it in pfSense as a cron process to fetch and refresh all my RPZ files.
Any advice would be appreciated.
-
@markster said in Unbound DNS questions - new member:
I am managing Unbound RPZ (Response Policy Zone) files manually
Have a look at what pfSense package pfBlockerNG can do for you.
-
pfBlockerNG is not something that manages your RPZ.
This is not what I was asking. I have multiple RPZ files and with Unbound you can configure how Unbound responds is created per RPZ. pfBlockerNG is just a generic domain blocker. Check this link https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html#rfc.section.6.1.I want to have more control how Unbound works with each RPZ. pfSense only provides a generic framework and I could not even find any pfSense documents that would specifically mention RPZ.
-
@markster said in Unbound DNS questions - new member:
pfBlockerNG is not something that manages your RPZ.
This is not what I was asking. I have multiple RPZ files and with Unbound you can configure how Unbound responds is created per RPZ. pfBlockerNG is just a generic domain blocker. Check this link https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html#rfc.section.6.1.I want to have more control how Unbound works with each RPZ. pfSense only provides a generic framework and I could not even find any pfSense documents that would specifically mention RPZ.
Custom configuration of
unboundlike you desire is not easy on pfSense because all of theunboundconfiguration files are managed by the GUI code of pfSense (and, when installed, also by the pfBlockerNG package). Configuration info is maintained in the XML-basedconfig.xmlused by pfSense, and each time theunboundservice is started, or the configuration needs updating, the info is pulled from theconfig.xmldata and written to the appropriate text-based config files needed byunbound. This is key to understand, because any manual edits you might do on the file system will get overwritten by the GUI code.There is a Custom Options section for the
unboundconfiguration where you can enter some custom settings. You could try entering your customizations there ifunboundaccepts them. These customizations are also stored inconfig.xmland written into theunboundconfiguration when the GUI updates it. -
@bmeeks, thanks for response.
I may be fine since I would only include in Unbound Advanced Options statement such as "include: /var/unbound.conf.rpz"I generally dislike ideas or architectures that limit IT pros to do what is needed. Frameworks like this cannot possibly accommodate every situations or requirements.
-
@markster said in Unbound DNS questions - new member:
I generally dislike ideas or architectures that limit IT pros to do what is needed. Frameworks like this cannot possibly accommodate every situations or requirements.
This is one thing that more experienced Linux or BSD users familiar with the CLI have to get accustomed to. Things you know how to do via the CLI don't necessarily work with pfSense due to the GUI code creating critical configuration files for you from the data stored in
config.xml. Some packages offer a customization or "advanced settings" option that allows direct entry of some configuration info that the GUI does not currently support or expose.The upside of the process pfSense uses is that the user is shielded from shooting themselves in the foot by manually editing a critical configuration file and introducing a fatal error that prevents firewall operation. Within reason, and to the extent possible, the GUI code protects from that. So it's a give-and-take sort of thing.
-
@markster said in Unbound DNS questions - new member:
I generally dislike ideas or architectures that limit IT pros to do what is needed. Frameworks like this cannot possibly accommodate every situations or requirements.
True.
pfSense pretends to be a versatile router/firewall with already to many options.I've read https://tools.ietf.org/id/draft-vixie-dnsop-dns-rpz-00.html#rfc.section.6.1.
I think I get what you're doing.Throwing in a
"include: /var/unbound.conf.rpz"
in the custom box will do the job.Keep in mind : to have the list re read when it changed, you have to stop & start unbound.
-
Cool. When a single or many RPZ files need to be refreshed in Unbound all you need to do is issue unbound-control auth_reload_rpz [zone-name]. I already perform this in my script.
-
@markster said in Unbound DNS questions - new member:
issue unbound-control auth_reload_rpz [zone-name]. I already perform this in my script.
Even better !
Looks your good to go.
pfSense uses the "off-the shelves FreeBSD Unbound" package.
Probably not the latest version, though. -
As I am rethinking the strategy and at the same time researching pfSense I have second thoughts.
I read many users have issues post updates with pfSense and also Unbound issues starting up etc. I don't and what I have is pretty solid. I will take my time to evaluate pros and cons, but thanks for your input and answers.-mark
