Unbound forward-zone not working properly?
-
I am new to pfSense so have been trying to replicate my old OpenWRT configuration.
I have mostly gotten it sorted except I hit a snag with Unbound.
Firstly, the web UI is unable to add domain overrides except if you are pointing to a primary server.
So I eventually realised I needed to add forward-zone rules in the advanced configuration. Except, it still doesn't work in the way the Unbound documents claim it does.
I use Unotelly and redirect just Netflix queries to their DNS, so I get quick response on everything else and do not have to trust them with my online banking DNS. The rules I used were:
forward-zone:
name: "netflix.com"
forward-addr: 176.58.107.53
forward-zone:
name: "netflix.co.uk"
forward-addr: 176.58.107.53
forward-zone:
name: "netflix.net"
forward-addr: 176.58.107.53
forward-zone:
name: "nflxvideo.net"
forward-addr: 176.58.107.53
forward-zone:
name: "unotelly.com"
forward-addr: 176.58.107.53That worked for streaming devices, but www.netflix.com would fail DNS lookup. In fact, all subdomains would fail which is odd as the Unbound documentation would suggest its supposed to be a catch-all rule.
When requested directly from 176.58.107.53 or with dnsmasq in place, the host lookup gives me this and everything works perfectly:
host www.netflix.com
www.netflix.com is an alias for www.netflix.com.netflix-cluster.unostructure.com.
www.netflix.com.netflix-cluster.unostructure.com has address 173.208.224.45
www.netflix.com.netflix-cluster.unostructure.com has address 107.167.89.172
www.netflix.com.netflix-cluster.unostructure.com has address 69.197.152.44
www.netflix.com.netflix-cluster.unostructure.com has address 98.142.141.44
www.netflix.com.netflix-cluster.unostructure.com has address 63.143.56.125
Host www.netflix.com.netflix-cluster.unostructure.com not found: 3(NXDOMAIN)
Host www.netflix.com.netflix-cluster.unostructure.com not found: 3(NXDOMAIN) -
I also notice that adding "Domain Overrides" does not work here.
My intention: I run IPSEC VPNs to several customers and want to query their internal DNS instead of the (external) DNS of my internet provider.Unfortunately that does not work for me.
I run pfsense 2.2.3 on an ALIX board, for reference.I can "dig @customerdns $fqdn" successfully from my desktop machine.
But "dig @pfsenseIP $fqdn" does not return anything. -
@sgw:
My intention: I run IPSEC VPNs to several customers and want to query their internal DNS instead of the (external) DNS of my internet provider.
I can "dig @customerdns $fqdn" successfully from my desktop machine.
But "dig @pfsenseIP $fqdn" does not return anything.This has nothing to do with the OP. If you want to query their internal DNS, then query that DNS and not pfSense.
https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN
-
This has nothing to do with the OP. If you want to query their internal DNS, then query that DNS and not pfSense.
So DNS Overrides do not work for DNS-servers "behind" IPSEC tunnels?
Thanks for the link, I will try that now …EDIT: I added the additional gateway as mentioned in the link ... and static routes. DNS overrides work now, but this somehow conflicts with the routes set up by IPSEC. I get problems pinging them now.
-
@sgw:
EDIT: I added the additional gateway as mentioned in the link … and static routes. DNS overrides work now, but this somehow conflicts with the routes set up by IPSEC. I get problems pinging them now.
If you really need something like this, I'd frankly suggest to either point LAN clients to the proper place directly or use OpenVPN. I'm tired of debugging IPsec shit.
-
Alex, if I understand your original request correctly, you can address this by configuring resolver (unbound) to use the LAN interface as the only outbound interface. You shouldn't need the fake gateway and static routes.
Note that this will mean all your other DNS packets (to root servers etc.) will be processed via NAT.
