unbound doesn't get the dns ip address from DHCP from NetworkManager

[dummys]

Hey, I'm wondering if this should be the correct behavior or not. As I understand, we are using NetworkManger with openresolv avec resolver. Thus it should get the ip address of dns from dhcp and add it to the file under /etc/unbound/resolvconf.conf which should be populated by resolvconf, right ? As inside the resolvconf.conf we have: unbound_conf=/etc/unbound/resolvconf.conf In my case, this file exist, but it is empty. Do you have the same behavior ? If i use: resolvconf -l I get the two new dns ip from DHCP, but it is not used anywhere by unbound then. My /etc/resolv.conf is chattr +i and contains only 127.0.0.1 for nameserver

[pigmonkey]

I don't really use local network DNS.

All my resolvconf stuff looks to be working correctly:

$ cat /etc/unbound/resolvconf.conf
# Generated by resolvconf

forward-zone:
        name: "myprivatedomain.com"
        forward-addr: 10.0.1.1
        forward-addr: 2600:1700:450:e11f:20d:b9ff:fe3b:e0c2

$ cat /etc/resolvconf.conf
# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf

name_servers=127.0.0.1
unbound_conf=/etc/unbound/resolvconf.conf
private_interfaces="*"

$ resolvconf -l
# resolv.conf from NetworkManager
# Generated by NetworkManager
search myprivatedomain.com
nameserver 10.0.1.1
nameserver 2600:1700:450:e11f:20d:b9ff:fe3b:e0c2

$ cat /etc/resolv.conf
# Generated by resolvconf
search myprivatedomain.com
nameserver 127.0.0.1

My router is at 10.0.1.1 with a hostname of router.myprivatedomain.com.

Unbound fails to resolve that:

$ dig +short router.myprivatedomain.com @127.0.0.1

But that is because I explicitly tell Unbound not to resolve private address ranges: https://github.com/pigmonkey/spark/blob/master/roles/unbound/templates/unbound.conf.j2#L20

If I comment out the line for 10.0.0.0/8 and restart Unbound, it forwards the zone and properly resolves the name:

$ dig +short router.myprivatedomain.com @127.0.0.1
10.0.1.1

So I think everything is working as expected, but, like I said, I don't really care about the local network's DNS. I want everything to go through my Unbound. It could be that a different configuration is needed if you want to use your local router as a DNS server.

I do not think you want to chattr +i /etc/resolv.conf. That will prevent NetworkManager, or anything else, from writing to that file. In that case your system would only know about whatever DNS your local networking is providing if you hard code it in that file.

[dummys]

ok I see. What is the reason to add those lines then: https://github.com/pigmonkey/spark/blob/master/roles/unbound/templates/unbound.conf.j2#L20 Thus it means that wenever we join local network with other dns server, we are not able to resolve local dns name then ? My problem is that when I'm at a CTF event, usually you get custom dns server send by the DHCP and to access the score board they give you a hostname. That's why I want that my unbound has also them as forwarder. Is there some risk to just remove all those private address from unbound or not ? At this line: $ cat /etc/unbound/resolvconf.conf where the forward-zone come from ? I don't get it on my local network despite dhcp is sending it correctly. My /etc/unbound/resolvconf.conf is empty. I don't understand, because inside resolvconf -l I see it correctly.

[pigmonkey]

My memory is that those private-address exclusions were added to prevent DNS rebinding attacks. I don't want to join a local network with a malicious DNS server that is going to cause me to resolve github.com as 192.168.1.203 and phish my credentials.

A properly configured LAN DNS server should use a private domain like .intranet, .private, etc. Support for that comes from all the bits that get added when unbound.private_domains is defined. Anything listed in the Unbound config as a private-domain can resolve to private addresses, despite the private-address entries.

So, for example, when I'm on my home network my router is at 10.1.10.1 with a domain of router.havenaut.private. Everything works great:

$ cat /etc/unbound/resolvconf.conf
# Generated by resolvconf

forward-zone:
        name: "havenaut.private"
        forward-addr: 10.1.10.1
        forward-addr: 2601:645:4300:77:20d:b9ff:fe32:fd86

$ cat /etc/resolvconf.conf
# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf

name_servers=127.0.0.1
unbound_conf=/etc/unbound/resolvconf.conf
private_interfaces="*"

$ resolvconf -l
# resolv.conf from NetworkManager
# Generated by NetworkManager
search havenaut.private
nameserver 10.1.10.1
nameserver 2601:645:4300:77:20d:b9ff:fe32:fd86

$ cat /etc/resolv.conf
# Generated by resolvconf
search havenaut.private
nameserver 127.0.0.1

$ dig +short router.havenaut.private @127.0.0.1
10.1.10.1

If you need to allow non-private domains to be resolved by your local network's DNS servers, you'd have to remove those private-address lines. If it was me I'd probably just comment out the appropriate line and restart Unbound when I was on such a network where I wanted to make that exception. I'd rather keep the default behaviour the way it is so that I don't have to worry about malicious coffee shop wifi.

My guess is that your /etc/unbound/resolvconf.conf might be empty because you made /etc/resolv.conf unwritable. I would undo that chattr +i, restart things, confirm that /etc/resolv.conf now has the search entry for you local network's domain, and then check /etc/unbound/resolvconf.conf.

[dummys]

ok ,now I understand your configuration. But still I don't get the:

$ cat /etc/unbound/resolvconf.conf
# Generated by resolvconf

forward-zone:
        name: "havenaut.private"
        forward-addr: 10.1.10.1
        forward-addr: 2601:645:4300:77:20d:b9ff:fe32:fd86

even if I have commented all the private-address, this file didnt get generated, even if resolvconf -l give me two new dns servers.

[petRUShka]

Suppose I have server.local to be resolved as 10.20.10.20.

I cannot resolve server.local unless I comment out private-address: 10.0.0.0/8:

#  private-address: 10.0.0.0/8
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-address: fd00::/8
  private-address: fe80::/10

It happens whereas I have:

  # Allow private domains.
  private-domain: "private"
  private-domain: "local"

It doesn't look as expected behavior. @pigmonkey do I do it right?