• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unbound, Domain override - non recursive query

Scheduled Pinned Locked Moved DHCP and DNS
2 Posts 1 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    Vetal
    last edited by Mar 7, 2015, 6:45 AM

    I have a few pfSense based nets linked via OpenVPN

    [Site_A] => [OpenVPN on VPS] <= [Site_B]

    Though, there are more sites connected as a spokes of the wheel

    What I had before is each Site had a domain override, leading to other pfSense box DNS:

    Site_A DomainOverride: [Domain_B:IP_of_B], [Domain_C:IP_of_C] …
    On human language, "for Domain B go to Site B", ... where each site is pfSense box with Unbound DNS

    That worked

    Now I decided to install Unbound DNS on central server, where OpenVPN resides. So, all overrides refer to VPN IP with Unbound (Ubuntu) listening on it.
    E.g., everybody requests DNS on VPN, which further refers to proper Authorative DNS.

    Problem is, Unbound in pfSense nadles DomainOverride with stub-zone. Which expects an Authorative DNS on zone override IP.

    Basically, if I go to machine A, sitting behind pfSense A and ask host_B, behind pfSense B, it won't be allowed by central VPN DNS (Unbound) unless two things:

    1. I have ACL for pfSense_A VPN IP as "allow_snoop"
    2. Site B info about this host is still in the cache on central DNS

    So Domain Override won't go recursive

    If I just do on A:
    nslookup host_b.domain_b ip_of_vpn_server

    it works fine, since call is recursive

    Is there a way to tell Unbound on pfSense to do a recursive call instead? Or handle it somehow on central Unbound (Ubuntu)
    I am rather new to Unbound. Tried to place a forward zone to "Advanced" section of pfSense like

    forward-zone:
            name: "site_B"
            forward-addr: <ip_of_vpn_server>Didn't help.

    I need this central DNS schema for 2 reasons:

    1. To provide DNS for whole private net in case of road warrior (no pfSense). OpenVPN just push <ip_of_vpn_server>and domain search list for every internal domain
    2. Centralized DNS management</ip_of_vpn_server></ip_of_vpn_server>

    1 Reply Last reply Reply Quote 0
    • V
      Vetal
      last edited by Mar 7, 2015, 6:58 AM

      Just enlightened while posted and added private/insecure part like:

      server:
private-domain: "site_B_domain"
domain-insecure: "site_B_domain"

forward-zone:
        name: "site_B_domain"
        forward-addr: <central_vpn_ip></central_vpn_ip>

      And it worked.

      Though, is it right way of doing things?

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received