Unbound domain overrides for local DNS across site-to-site VPNs



  • The example use case is an internal private company network of VPNs interconnecting multiple offices. Some far-flung office has (possibly multiple) VPN hops to reach a DNS server that provides name resolution for the internal company names. The private OpenVPN tunnel network subnets are not known to the routing tables of some remote router/s in the internal network. So if a DNS query is received from "far-flung-office-OpenVPN-tunnel-endpoint", the reply cannot be routed back.
    In dnsmasq there was a box to put "Source IP address for queries to the DNS server for the override domain." In that we would normally put the LAN IP of "far-flung-office". The internal DNS server at main office would know how to route back to that (the whole of main office knows how to route to "far-flung-office-LAN").

    Now there is no such box in DNS Resolver (unbound) GUI. And actually I can't see how to do this in an unbound.conf file anyway - does not seem to support that.

    The ways around this seem to be:

    1. Make sure that all routers in the company intranet know how to route correctly to all intranet subnets across whatever VPN links there are, including how to route to the OpenVPN tunnel networks themselves.
      or;
    2. Select LAN in Outgoing Network Interfaces on DNS Resolver. That makes all outgoing queries come from the LAN IP. It works for resolving intranet names (that is expected, LAN IP is an internal private IP in the intranet). It also seems to work for public name resolution - I guess the source IP being LAN IP, it is NATed on the way out WAN(s) to the public DNS, so actually the public DNS sees source IP as WAN IP.

    (1) is easy enough to achieve in a small company intranet. If there are loads of OpenVPN tunnel links it can be more hassle to maintain all the internal routing (and I guess when the company intranet gets big you start using some rotuing protocol - OSPF…)

    (2) sounds a little tricky - is there something here that I have not thought of that will be broken by that?

    Any comments or better ideas for the solution to this with Unbound DNS Resolver?



  • Yeah there isn't a direct equivalent for the source IP per-domain override that's in dnsmasq.

    Ideally that won't be an issue because #1 will work, but that isn't the case at times and fixing that can be a significant undertaking.

    The best alternative I've seen is #2, picking only a single interface for the outgoing interface option. I don't think there are any caveats to that. Any queries that go to an Internet destination will have that IP source NATed. The only potential issue I can think of there is if you need one domain override to use one source IP, and a diff domain override to use a diff source IP. I've never seen anyone have such a requirement so it's likely exceptionally rare. Choosing only LAN for the outbound interface should be safe in most every scenario.