Unbound host overrides breaks when adding a wildcard entry

[kriansa]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Adding a DNS entry named * (wildcard) on a domain with an existing host override will be allowed by UI but will break Unbound initialization, thus making it immediately offline after applying the change.

According to the manual, wildcards should be accepted as host names for host overrides.

To Reproduce

Steps to reproduce the behavior:

1. Go to 'Services', then 'Unbound DNS', then 'Overrides'
2. Click on '+' button and add a new override
3. Set host to "abc", domain to "opnsense.com", type A, IP address 127.0.0.1
4. Save, then click Apply
5. Unbound will be still running, validate running a drill @routerip abc.opnsense.com to see that it returns an entry to 127.0.0.1
6. Click on '+' button and add a new override
7. Set Host to '*', domain to "opnsense.com", type A, IP address '127.0.0.1'
8. Save, then click Apply
9. See that Unbound will stop and won't start again unless you either remove that entry or all entries that are not wildcards for that domain and apply again

Expected behavior

Unbound should stay up, and a subsequent drill xyz.opnsense.com should return an entry to '127.0.0.1'.

Environment

I don't think it's relevant.

[collinthorn]

I have just recently experienced the same issue. I cannot pinpoint when it started, however, as I have backup DNS that my system reverted to without me knowing. The outcome (Unbound shutting down) is the same if one were to use a different IP address in step #3 listed above.

[AdSchellevis]

most likely cause is an overlapping entry (e.g. *.my.org and host.my.org assigned), these are difficult to detect upfront and if I remember correctly will break startup.

[fichtner]

Isn't "*" the reason why domain overrides exist?

[kriansa]

most likely cause is an overlapping entry (e.g. *.my.org and host.my.org assigned), these are difficult to detect upfront and if I remember correctly will break startup.

Confirmed, I just tested, and this seems to be the pre-requisite for this issue. I updated the reproducing steps.

[collinthorn]

I dislike being on an island when it comes to error reporting. In almost every case it means I'm doing something wrong and/or stupid. My wildcard entry on Host Domains is the only entry on my list; no overlapping entries. I just have the one wildcard entry directed to my reverse proxy for keep-it-inside-LAN DNS overrides. (I think this is one application of this Opnsense functionality, yes?) As soon as I hit apply, it thinks for a bit and then Unbound turns off. When I disable it Unbound immediately turns back on.

[AdSchellevis]

check the logs??

[rweir]

@collinthorn are you doing this for the same domain your OPNSense device is, and thus generated an A record for itself?

[collinthorn]

@collinthorn are you doing this for the same domain your OPNSense device is, and thus generated an A record for itself?

Indeed this was my problem. I cannot speak to the more detailed use-case that is failing @kriansa in the original posting, but my Unbound no longer fails after changing my OPNsense domain.

In case of future searches: the origin of my problem was that I had attempted a Services/Unbound DNS/Overrides override for a domain that was identified as my Opnsense device domain in System/Settings/General/Domain.

It makes sense now that I see the fix but it wasn't intuitively obvious to me when I was attempting it. I very much appreciate the experts who chimed in. Cheers.

[daJuels]

Just faced the same problem "same domain as the domain of the OPNsense device" as I have updated opensense now to the latest version.

But for sure in Version 1.14.0 unbound was working with wildcard and a specific host override:

host | domain           | ip
*    | mydomain.com     | 192.168.0.40
*    | nas.mydomain.com | 192.168.0.50

And it is still working.. so just add an override for opnsense

*    | opnsense.mydomain.com | 192.168.0.1

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

[kriansa]

Hi, can this be reopened? I know it's probably a low priority issue right now, but it's still relevant.

[Bishop-trevorstuart]

I too would like to see this fixed. The opnsense domain issue isn't a huge deal. But being able to create wildcards when it says you can should work shouldn't it?

[kriansa]

I find that crashing the DNS server is such an extreme outcome for a minor "innocent" change like configuring a domain wildcard, as present in the documentation.

I would add this warning to the docs while we don't have a fix for this issue.