Dear experts,
I would like to configure unbound for my setup but I am totally lost with the terminology and the settings. Here is my setup:
-
I have a split VPN client runnging that forwards certain subnets to the VPN server and forwards all DNS request to the VPN server side (I guess all subdomains of myvpn.org should be answered by the DNS on the VPN server side)
-
I have a local router with domain “lan”
-
I would like to use my ISPs DNS but do caching myself (not sure if the router does it)
How could I make all this work, i.e.,
-
Forward all DNS request for *.myvpn.org through VPN
-
Query the route for for request *.lan
-
And use my ISPs DNS (via the router 192.168.178.1) for all other queries?
Thanks so much for your help.
Kind regards,
Herbert
Hello Herbert,
assuming VPN-Server side an router act as authoritative nameserver you may try this:
stub-zone:
name: "myvpn.org."
stub-addr: <ip-address of your DNS on the VPN server side>
stub-zone:
name: "lan."
stub-addr: <local router's ip address>
forward-zone:
name: "."
forward-addr: <ip address of your ISP's resolver>
You may replace a stub-zones with a forward-zones
Andreas
Your router is likely running dnsmasq so "forward-zone:" probably in order to "lan." Also don't forget about the reverse IP zones. Otherwise you will leak your VPN IP. I am assuming addresses to make the example clear. Also side note, I would guess OpenWrt with fake domain "lan." You might install Unbound and a VPN client on your home router.
stub-zone:
# split VPN
name: "myvpn.org."
stub-addr: 192.0.2.1
stub-addr: 2001:db8::1
stub-zone:
# split VPN
name: "2.0.192.in-addr.arpa."
stub-addr: 192.0.2.1
stub-addr: 2001:db8::1
stub-zone:
# split VPN
name: "8.b.d.0.1.0.0.2.ip6.arpa."
stub-addr: 192.0.2.1
stub-addr: 2001:db8::1
forward-zone:
# home router
name: "lan."
forward-addr: 10.10.0.1
forward-addr: fd00:0a0a::1
forward-zone:
# home router
name: "0.10.10.in-addr.arpa."
forward-addr: 10.10.0.1
forward-addr: fd00:0a0a::1
forward-zone:
# home router
name: "a.0.a.0.0.0.d.f.ip6.arpa."
forward-addr: 10.10.0.1
forward-addr: fd00:0a0a::1
forward-zone:
# protect your universe look ups with TLS
# ISP have been suspected of data mining customers
name "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-first: no
forward-tls-upstream: yes
# forward-zone:
# home router will likely know ISP DNS server from DHCP
# so forward to it and no maintenance if ISP changes
# name: "."
# forward-addr: 10.10.0.1
# forward-addr: fd00:0a0a::1
Dear experts,
I would like to configure unbound for my setup but I am totally lost with
the terminology and the settings. Here is my setup:
* I have a split VPN client runnging that forwards certain subnets to
the VPN server and forwards *all* DNS request to the VPN server side
(I guess all subdomains of myvpn.org <http://myvpn.org> should be
answered by the DNS on the VPN server side)
* I have a local router with domain "lan"
* I would like to use my ISPs DNS but do caching myself (not sure if
the router does it)
How could I make all this work, i.e.,
* Forward all DNS request for *.myvpn.org <http://myvpn.org> through
VPN
Depending on the vpn software, you can redirect DNS automatically if
running unbound locally. eg libreswan will automatically run
unbound-control to forward the DNS zone(s) obtained from the IKE/IPsec
VPN server, clear cache and do the reverse on disconnect.
I used to have a patch to openvpn to do the same.
but these depend on running unbound on the device that starts the vpn
too.
* Query the route for for request *.lan
That could be a permanent override as people explained already. You add
it to the unbound config.
* And use my ISPs DNS (via the router 192.168.178.1) for all other
queries?
That can be a simple: unbound-forward forward_add "." IpOfISPNameserver
or you can add it statically in the unbound.conf file.
Paul