UI bug? -- when using resolver -and- forwarder
-
When using the (unbound) DNS resolver; one can nicely limit it to only bind to the needed interfaces. And this is reflected in the
/var/unbound/unbound.confasinterface:andoutgoing-interface:.The DNS forwarder has that same functionality - and a checkbox to be 'strictly' bound to that specific interface/IP.
Yet if one tries to run both on mutually exclusive settings - the UI seems to block this with a "The DNS Resolver is enabled using this port. Choose a non-conflicting port, or disable DNS Resolver."
Is this a bug ?
Secondly - when using a VLAN - I am not entirely sure if unbound honours the
interface:setting. Just an ```interface: 10.44.0.1`` on an igb7 interface whose raw IP is 10.44.0.1/24 and which also has a 192.168.0.1/24 allocated on vlan100 - sees unbound reply to DNS queries on 192.168.0.1 which I had not expected.Any thoughts anyone ?
-
@dirkx what version of pfsense are you using - I was able to start forwarder on one of my other interfaces that unbound is not using.
I'm on 22.05
-
Hmm - that is odd - as that is the exact thing I was expecting/think I am configuring.
Version wise - I am on
2.6.0-RELEASE (amd64) built on Mon Jan 31 19:57:53 UTC 2022 FreeBSD 12.3-STABLEwhich it reports as the latest/greatest. Your interfaces are normal ? Or is one of them a VLAN ?
-
@dirkx I have vlans sure - but that interface is not... Let me setup a vlan and test it with that. But maybe you got something else duplicated, like local host? Or something?
Here just turned off unbound on my guest vlan, nobody currently on it - and enabled forwarder on it
edit: so guest is a vlan that forwarder is not listening on - and another vlan unbound is on, same physical interface igb2
-
Ok - so not sure what the difference is. Images of the config below. And I am trying to start the forwarder on just that VLAN108 which is explictly not in the list of bound interfaces of the resolver (for IPv4 and v6).
-
@dirkx what are you wanting to do with a vlan that is not bound to a physical interface.. How would do anything?
If you have a vlan106 and its not bound to a physical interface - what is its point?
-
No sorry - misunderstanding - it is bound to igb1 -- which is also a normal, non-tagged interface.
So on igb1 we have LAN - with a DNS resolver on 10.44.0.1/24 and try to run the wordwarder on igb1.VLAN108 on 192.168.108.1/24.
And it is config of the latter than the UI rejects.
-
Forwarder states
"If an interface has both IPv4 and IPv6 IPs, both are used"
"The default behavior is to respond to queries on every available IPv4 and IPv6 address."You have unbound bound to IPv6 link local..
-
Right - which is neede. But that is only unbound; the forwarder is not. Or is that the issue - that neither can be bound to IPv6 link local ?
-
@dirkx if forwarder doesn't allow you to pick not to be on IPv6, and you have unbound bound to IPv6 then yeah you have a problem.
I don't have unbound bound to any IPv6 addresses. On the interfaces I tested with. Nor do I have any IPv6 on those interfaces.
-
Ok - clear & many thanks.
So need to figure out a way around that - as we need to answer on link local to keep the routing happy. Which should be do-able as the forwarder can simply forward that too.
-
@dirkx I just tried binding test to linklocal, but it has no real IPv6 address and test came up on forwarder.
-
@dirkx can you not just have forwarder listen on a different port, and use a port forward on your vlan to send 53 traffic to the port listens on say 5353?
-
Off subject question for john.
Hi John, On your interface assignments in post 4. You have a interface labeled ns 1 vpn. If you don't mind could you elaborate what it is for? Is it some service you subscribe to, or a remote name server you have on a VPS? I'm just curious.
-
@uglybrian just a vps I run - I have a client vpn connection to it that I use for testing vpn connections mostly for here, i don't have any traffic routed through it normally.
-
Thank you John
