Re: Unbound with split VPN and local domain

Sun, 14 Apr 2019 09:23:11 -0700 

On 4/14/19 8:00 AM, A. Schulze via Unbound-users wrote:



Am 14.04.19 um 12:43 schrieb Herbert Meier via Unbound-users:

Dear experts,

I would like to configure unbound for my setup but I am totally lost with the 
terminology and the settings. Here is my setup:

   * I have a split VPN client runnging that forwards certain subnets to the VPN 
server and forwards *all* DNS request to the VPN server side (I guess all subdomains 
of myvpn.org <http://myvpn.org> should be answered by the DNS on the VPN server 
side)
   * I have a local router with domain "lan"
   * I would like to use my ISPs DNS but do caching myself (not sure if the 
router does it)

How could I make all this work, i.e.,

   * Forward all DNS request for *.myvpn.org <http://myvpn.org> through VPN
   * Query the route for for request *.lan
   * And use my ISPs DNS (via the router 192.168.178.1) for all other queries?

Thanks so much for your help.


Hello Herbert,

assuming VPN-Server side an router act as authoritative nameserver you may try 
this:

     stub-zone:
        name: "myvpn.org."
        stub-addr: <ip-address of your DNS on the VPN server side>
     stub-zone:
        name: "lan."
        stub-addr: <local router's ip address>
     forward-zone:
        name: "."
        forward-addr: <ip address of your ISP's resolver>

You may replace a stub-zones with a forward-zones

Andreas




Your router is likely running dnsmasq so "forward-zone:" probably in order to "lan." Also don't forget about the reverse 
IP zones. Otherwise you will leak your VPN IP. I am assuming addresses to make the example clear. Also side note, I 
would guess OpenWrt with fake domain "lan." You might install Unbound and a VPN client on your home router.


stub-zone:
        # split VPN
        name: "myvpn.org."
        stub-addr: 192.0.2.1
        stub-addr: 2001:db8::1

stub-zone:
        # split VPN
        name: "2.0.192.in-addr.arpa."
        stub-addr: 192.0.2.1
        stub-addr: 2001:db8::1

stub-zone:
        # split VPN
        name: "8.b.d.0.1.0.0.2.ip6.arpa."
        stub-addr: 192.0.2.1
        stub-addr: 2001:db8::1

forward-zone:
        # home router
        name: "lan."
        forward-addr: 10.10.0.1
        forward-addr: fd00:0a0a::1

forward-zone:
        # home router
        name: "0.10.10.in-addr.arpa."
        forward-addr: 10.10.0.1
        forward-addr: fd00:0a0a::1

forward-zone:
        # home router
        name: "a.0.a.0.0.0.d.f.ip6.arpa."
        forward-addr: 10.10.0.1
        forward-addr: fd00:0a0a::1

forward-zone:
        # protect your universe look ups with TLS
        # ISP have been suspected of data mining customers
        name "."
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com
        forward-first: no
        forward-tls-upstream: yes

# forward-zone:
        # home router will likely know ISP DNS server from DHCP
        # so forward to it and no maintenance if ISP changes
        # name: "."
        # forward-addr: 10.10.0.1
        # forward-addr: fd00:0a0a::1






















					Reply via email to