Wildcard host override with DNS Resolver (unbound)

omnidan · Feb 8, 2015, 11:58 AM

Hi everyone!

How can I set up dns host overrides with wildcards using the default DNS Resolver (unbound)?

I've tried the advanced settings for the old DNS Forwarder (dnsmasq), mentioned here:
https://forum.pfsense.org/index.php?topic=43835.0

This does not seem to work - nothing gets resolved anymore at all. And setting up a specific host-override for abc.com (leaving host blank) will not override www.abc.com or 123.abc.com.

Any ideas except for turning off DNS Resolver and using DNS Forwarder instead?

By the way: Where does pfsense store it's unound-config so I can try editing it on the shell and figure out wildcards there?

Thanks everyone!
Dan

doktornotor · Feb 8, 2015, 12:16 PM

unbound.conf(5)


redirect
                 The query is answered from the local data for the zone  name.
                 There  may  be  no  local  data  beneath the zone name.  This
                 answers queries for the zone, and all subdomains of the  zone
                 with the local data for the zone.  It can be used to redirect
                 a domain to return a different  address  record  to  the  end
                 user,    with   local-zone:   "example.com."   redirect   and
                 local-data: "example.com. A 127.0.0.1" queries for  www.exam-
                 ple.com and www.foo.example.com are redirected, so that users
                 with web browsers  cannot  access  sites  with  suffix  exam-
                 ple.com.

So, you can try something like this in advanced config:


server:
local-zone: "abc.com" redirect
local-data: "abc.com 3600 IN A 192.0.2.1"

johnpoz · Feb 9, 2015, 10:44 PM

So per dok instructions.. there you go

root@ubuntu:~$ dig abc.com +short
192.0.2.1
root@ubuntu:~$ dig www.abc.com +short
192.0.2.1
root@ubuntu:~$ dig something.www.abc.com +short
192.0.2.1
root@ubuntu:~$ dig other.something.www.abc.com +short
192.0.2.1
root@ubuntu:~$

looks like wildcard to me.

Removed and back to normal
root@ubuntu:~$ dig abc.com +short
199.181.132.250
root@ubuntu:~$ dig www.abc.com +short
abc.com.
199.181.132.250
root@ubuntu:~$

doktornotor · Feb 9, 2015, 11:01 PM

Well, thanks for testing that (and no thanks to the OP for not even bothering to post a beep… >:() Perhaps someone might update the locked sticky so that it accounts for unbound as well?

omnidan · Feb 13, 2015, 12:13 PM

Thank you so much guys for figuring this out and testing it.
I'm truly sorry for not answering sooner!

Best regards!

Trel · Feb 13, 2015, 3:19 PM

nevermind.
I was asking what the IN was, I found out.

The optional Class option.

Making_sense_of_pfSense · Jun 23, 2020, 3:06 PM

@doktornotor Thank you, this was very helpful!
My OpenVPN clients couldn't reach my nginx reverse proxy despite the general NAT reflection policy (System > Advanced > Firewall & NAT), which worked just fine from the LAN.
So I was just about to follow the officially recommended split DNS way and enter a bunch of host overrides in Services > DNS Resolver, when I found your wonderfully elegant solution!