Unbound doesn't listen to Tailscale IP

phongn

I'd like to use Unbound as my DNS forwarder using my Tailscale-issued IP. However, Unbound seems to reject queries coming from Tailscale:

PS C:\Users\Phong Nguyen> nslookup netgate.com 100.72.216.87
Server:  UnKnown
Address:  100.72.216.87

*** UnKnown can't find netgate.com: Query refused

PS C:\Users\Phong Nguyen> nslookup netgate.com fd7a:115c:a1e0:ab12:4843:cd96:6248:d857
Server:  UnKnown
Address:  fd7a:115c:a1e0:ab12:4843:cd96:6248:d857

*** UnKnown can't find netgate.com: Query refused

Queries going in through 'normal' IP ranges seem to work just fine:

PS C:\Users\Phong Nguyen> nslookup netgate.com 192.168.1.1
Server:  pfsense.home.nxp.io
Address:  192.168.1.1

Non-authoritative answer:
Name:    netgate.com
Addresses:  ::ffff:199.60.103.104
          ::ffff:199.60.103.4
          199.60.103.4
          199.60.103.104

Is the allowlist in Unbound missing the Tailscale interfaces, and if so, are there examples of how to add it in?

phongn

Ah, I was able to manually do it by adding the Tailscale IPv4 and IPv6 subnet ranges in Custom Options:

access-control: 100.64.0.0/10 allow
access-control: fd7a:115c:a1e0:ab12::/64 allow

It would be nice if the Tailscale plugin could allow this automatically.

Gertjan

@phongn

I saw Tailscale on pfSense Software! and admit upfront that I don't know what it is / why I should use it.

edit : I watched the video : I get it.

The article talks a lot about VPN, not 'this is a public DNS'.
Also : why should or would a remote DNS server want to 'talk' (initiate) a connection to your DNS (unbound) ?

When you do this :

nslookup netgate.com 100.72.216.87

you use nslookup to look up the A record of the host name "netgate.com" and nslookup will use the DNS server "100.72.216.87" to do so.
It's "100.72.216.87" that doesn't want to reply to this request from your PC, your nslookup app.
nslookup will not use your local unbound ( at 192.168.1.1 I presume) at all.

@phongn said in Unbound doesn't listen to Tailscale IP:

nslookup netgate.com 192.168.1.1

That's better !
Now you ask unbound on pfSense to do a lookup for the A record of "netgate.com".
That worked out just fine.

@phongn said in Unbound doesn't listen to Tailscale IP:

nslookup netgate.com fd7a:115c:a1e0:ab12:4843:cd96:6248:d857

Where did you get this "fd" address from ?
It starts with and "f" ..... that's doesn't seem like a global IPv6, more some local address to me.

phongn

Basically, if I'm on my Tailscale VPN network, I want to be able to talk to my local Unbound DNS resolver so I can do proper DNS lookups of my internal network, as I route my IPv4 private and IPv6 ULA subnets.

To do so, I want to be able to talk to Unbound via the Tailscale-assigned internal IPv4 address (100.72.216.87) and its Tailscale-assigned internal IPv6 ULA address (fd7a:115c:a1e0:ab12:4843:cd96:6248:d857)

Tailscale has its own internal ACLs, so someone else on their IP range can't talk to my VPN network without permission; hence it should be reasonable safe to allow the Tailscale subnet ranges 100.64.0.0/10 and fd7a:115c:a1e0:ab12::/64 to talk to Unbound.