Unbound, Domain override - non recursive query
Vetal last edited by
I have a few pfSense based nets linked via OpenVPN
[Site_A] => [OpenVPN on VPS] <= [Site_B]
Though, there are more sites connected as a spokes of the wheel
What I had before is each Site had a domain override, leading to other pfSense box DNS:
Site_A DomainOverride: [Domain_B:IP_of_B], [Domain_C:IP_of_C] …
On human language, "for Domain B go to Site B", ... where each site is pfSense box with Unbound DNS
Now I decided to install Unbound DNS on central server, where OpenVPN resides. So, all overrides refer to VPN IP with Unbound (Ubuntu) listening on it.
E.g., everybody requests DNS on VPN, which further refers to proper Authorative DNS.
Problem is, Unbound in pfSense nadles DomainOverride with stub-zone. Which expects an Authorative DNS on zone override IP.
Basically, if I go to machine A, sitting behind pfSense A and ask host_B, behind pfSense B, it won't be allowed by central VPN DNS (Unbound) unless two things:
1. I have ACL for pfSense_A VPN IP as "allow_snoop"
2. Site B info about this host is still in the cache on central DNS
So Domain Override won't go recursive
If I just do on A:
nslookup host_b.domain_b ip_of_vpn_server
it works fine, since call is recursive
Is there a way to tell Unbound on pfSense to do a recursive call instead? Or handle it somehow on central Unbound (Ubuntu)
I am rather new to Unbound. Tried to place a forward zone to "Advanced" section of pfSense like
forward-addr: <ip_of_vpn_server>Didn't help.
I need this central DNS schema for 2 reasons:
1. To provide DNS for whole private net in case of road warrior (no pfSense). OpenVPN just push <ip_of_vpn_server>and domain search list for every internal domain
2. Centralized DNS management</ip_of_vpn_server></ip_of_vpn_server>
Vetal last edited by
Just enlightened while posted and added private/insecure part like:
server: private-domain: "site_B_domain" domain-insecure: "site_B_domain" forward-zone: name: "site_B_domain" forward-addr: <central_vpn_ip></central_vpn_ip>
And it worked.
Though, is it right way of doing things?