Here is my scenario…
I use untangle as my firewall and typically utilize its DNS server static entries for routing DNS on my home LAN to get to servers by private IP and then let my domains public DNS manage everything from the outside world.
This past week I decided to setup a home lab where I will want to access a different set of machines by the same names as what are already registered in Untangle… BUT at different IPs from those machines the other users in my LAN would access them from.
Example:
Typical config: iis.strumbel.com is at 192.168.1.200
In my test env: iis.strumbel.com needs to be at 192.168.1.171
Unbound seemed the ideal solution, spun up a Centos 7 vm, installed Unbound and configured my test machines into the local-zone utilizing local-data commands. And pointed a forward-addr at my Untangle box. Pretty neat and as long as I am querying for items either in the local-data, or items not managed by Untangle all works fine.
The issue comes when I try to query for an item that is NOT in my local-data but IS in the Untangle DNS entries.
Those come back NOT FOUND.
Example:
iis.strumbel.com is managed by unbound via local-data: “iis.strumbel.com. IN A 192.168.1.171” this works fine
webmail.strumbel.com is managed by untangle this cannot be found
www.crunch.com is not managed by either this works fine
Thinking maybe it was an issue with how Untangle handles DNS, spun up another Centos vm and installed BIND in its most basic form and added a zone for my domain and entered the same records Untangle was managing and then pointed by Unbound forward-addr to this new BIND box instead. Same results. local-data items: OK, items not maintained in BIND: OK, items NOT in local-data but are in BIND: NOT FOUND.
Tells me I must have screwed up something in my Unbound config:
server:
verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
answer queries for this interface 0.0.0.0 says ALL interfaces
interface: 0.0.0.0
what port are we listening on - needs to be opened up in the firewall
port: 53
turn on ipv4 turn off ipv6 queries
do-ip4: yes
do-ip6: no
turn on udp and tcp querying - don’t forget to open in the firewall
do-udp: yes
do-tcp: yes
what client ips can access utilize the results of this dns server
access-control: 192.168.1.0/24 allow
access-control: 127.0.0.1/32 allow
hide hacking information from anyone accessing the server
hide-identity: yes
hide-version: yes
this helps avoid spoofing attempts
harden-glue: yes
harden-dnssec-stripped: yes
upper and lower bounds for TTL
cache-min-ttl: 3600
cache-max-ttl: 14400
prefetch
prefetch: yes
Optimization parameters
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m
so-rcvbuf: 1m
unwanted-reply-threshold: 10000
val-clean-additional: yes
avoid rebinding attacks
private-address: 192.168.1.0/24
here is what allows us to OVERRIDE DNS settings
private-domain: “DNS.OVERRIDES”
do-not-query-localhost: no
here are our overrides!
local-zone: “DNS.OVERRIDES.” static
forward OVERRIDE records
local-data: “iis.strumbel.com. IN A 192.168.1.171”
local-data: “sm.strumbel.com. IN A 192.168.1.171”
local-data: “rodsmachine.strumbel.com. IN A 192.168.1.98”
reverse OVERRIDE records
local-data-ptr: “192.168.1.171 apps.strumbel.com”
local-data-ptr: “192.168.1.98 rodsmachine.strumbel.com”
and where do we go if records are not overridden above?
forward-zone:
name: “.”
forward-addr: 192.168.1.238
The below was the setting to talk to untangle as the DNS forward - same issue as the above which is a temporarily setup BIND server
forward-addr: 192.168.1.1
END OF CONFIG FILE
Anyone have any ideas?
Rod