Unbound, Domain override - non recursive query



  • I have a few pfSense based nets linked via OpenVPN

    [Site_A] => [OpenVPN on VPS] <= [Site_B]

    Though, there are more sites connected as a spokes of the wheel

    What I had before is each Site had a domain override, leading to other pfSense box DNS:

    Site_A DomainOverride: [Domain_B:IP_of_B], [Domain_C:IP_of_C] …
    On human language, "for Domain B go to Site B", ... where each site is pfSense box with Unbound DNS

    That worked

    Now I decided to install Unbound DNS on central server, where OpenVPN resides. So, all overrides refer to VPN IP with Unbound (Ubuntu) listening on it.
    E.g., everybody requests DNS on VPN, which further refers to proper Authorative DNS.

    Problem is, Unbound in pfSense nadles DomainOverride with stub-zone. Which expects an Authorative DNS on zone override IP.

    Basically, if I go to machine A, sitting behind pfSense A and ask host_B, behind pfSense B, it won't be allowed by central VPN DNS (Unbound) unless two things:

    1. I have ACL for pfSense_A VPN IP as "allow_snoop"
    2. Site B info about this host is still in the cache on central DNS

    So Domain Override won't go recursive

    If I just do on A:
    nslookup host_b.domain_b ip_of_vpn_server

    it works fine, since call is recursive

    Is there a way to tell Unbound on pfSense to do a recursive call instead? Or handle it somehow on central Unbound (Ubuntu)
    I am rather new to Unbound. Tried to place a forward zone to "Advanced" section of pfSense like

    forward-zone:
            name: "site_B"
            forward-addr: <ip_of_vpn_server>Didn't help.

    I need this central DNS schema for 2 reasons:

    1. To provide DNS for whole private net in case of road warrior (no pfSense). OpenVPN just push <ip_of_vpn_server>and domain search list for every internal domain
    2. Centralized DNS management</ip_of_vpn_server></ip_of_vpn_server>



  • Just enlightened while posted and added private/insecure part like:

    server:
    private-domain: "site_B_domain"
    domain-insecure: "site_B_domain"
    
    forward-zone:
            name: "site_B_domain"
            forward-addr: <central_vpn_ip></central_vpn_ip>
    

    And it worked.

    Though, is it right way of doing things?


Log in to reply