Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update Unbound general, overrides and forwarding documentation

Browse Source
pull/432/head
Stephan 2 years ago committed by Stephan de Wit
parent bd2d008ef2
commit 1b888f7233
1 changed files with 34 additions and 10 deletions
Show Stats Download Patch File Download Diff File

44
source/manual/unbound.rst
Unescape Escape View File

@ -6,6 +6,7 @@ Unbound is a validating, recursive, caching DNS resolver. It is designed to be f
Since OPNsense 17.7 it has been our standard DNS service, which on a new install is enabled by default.
.. _general:
-------------------------
General settings
@ -43,27 +44,26 @@ DHCP Domain Override When the above registrations shouldn't use
DHCP Static Mappings Register static dhcpd entries so clients can resolve them. Supported on IPv4 and
IPv6.
IPv6 Link-local Register link local addresses for IPv6.
System A/AAAA records If this option is set, then no A/AAAA records for the configured listen interfaces
will be generated. This also means that no PTR records will be created. If desired,
you can manually add A/AAAA records in :ref:`overrides`. Use this to control which
interface IP addresses are mapped to the system host/domain name as well as to
restrict the amount of information exposed in replies to queries for the
system host/domain name.
TXT Comment Support Register descriptions as comments for dhcp static host entries.
DNS Query Forwarding Forward queries to configured nameservers in
:menuselection:`System --> Settings --> General : DNS Server`
Local Zone Type The local zone type used for the system domain.
Type descriptions are available under "local-zone:" in the
`unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`__
manual page. The default is 'transparent'.
==================================== ===============================================================================
.. Note::
Be careful enabling "DNS Query Forwarding" in combination with **DNSSEC**, when the upstream server doesn't support
DNSSEC, its answers will be considered insecure since no DNSSEC validation could be performed.
.. Note::
In order for the client to query unbound, there need to be an ACL assigned in
:menuselection:`Services --> Unbound DNS --> Access Lists`. The configured interfaces should gain an ACL automatically.
If the client address is not in any of the predefined networks, please add one manually.
.. _overrides:
-------------------------
Overrides
@ -75,6 +75,14 @@ domain should be forwarded to a predefined server.
**Host override settings**
=====================================================================================================================
Host overrides can be used to change DNS results from client queries or to add custom DNS records. PTR records
are also generated under the hood to support reverse DNS lookups. These are generated in the following way:
* If **System A/AAAA records** in :ref:`general` is unchecked, a PTR record is created for the primary interface.
* Each host override entry **that does not include a wildcard for a host**, is assigned a PTR record.
* If a host override entry **includes a wildcard for a host**, the first defined alias is assigned a PTR record.
* Every other alias does not get a PTR record.
==================================== ===============================================================================
Host Name of the host, without domain part. Use "*" to create a wildcard entry.
Domain Domain of the host (such as example.com)
@ -86,14 +94,21 @@ Aliases Copies of the above data for different hos
**Aliases**
You may create alternative names for an Host. E.g. when having a webserver with several virtual hosts
you create an Host override entry with the IP and name for the webserver and an alias name for every virtual host on this webserver.
You may create alternative names for a Host. E.g. when having a webserver with several virtual hosts
you create a Host override entry with the IP and name for the webserver and an alias name for every virtual host on this webserver.
You have to select the host in the top list and it will the show you the assigned aliases in the bottom list.
**Domain override settings**
=====================================================================================================================
Domain overrides can be used to forward queries for specific domains (and subsequent subdomains) to local or remote DNS servers.
.. Important::
Domain overrides has been superseded by :ref:`forwarding`. Query forwarding also allows you to forward every single
request.
==================================== ===============================================================================
Domain Domain to override
IP address IP address of the authoritative DNS server for this domain
@ -250,6 +265,8 @@ YoYo List https://pgl.yoyo.org/adservers/
Usually once a day is a good enough interval for these type of tasks.
.. _forwarding:
-------------------------
Query Forwarding
-------------------------
@ -286,6 +303,13 @@ Port Specify the port used by the DNS server. D
configuring e.g. :doc:`/manual/how-tos/dnscrypt-proxy`
==================================== ===============================================================================
.. warning::
Be careful enabling "DNS Query Forwarding" in combination with **DNSSEC**, no DNSSEC validation will be performed
for forwards with a specific domain, as the upstream server might be a local controller. If forwarding
everything and the upstream server doesn't support DNSSEC, its answers will not reach the client as no DNSSEC
validation could be performed.
-------------------------
DNS over TLS
-------------------------

Write Preview
Loading…
Cancel
Save