Unbound+DNS Firewall via IPSET DNS.. is this possible?

AcidSlide · February 27, 2021, 4:44pm

Hello again,

It seems i've been asking a lot in the forums lately ahahaha

Anyway..
i'm currently using dnsmasq-full with the ipset-dns (based on this setup: DNS-based firewall with IP sets)

Now I tried experimenting moving to a Unbound based DNS setup, but I can't seem to make the DNS IPSET work.

I've tried looking for wiki's or documents that may be related to this but can't find any.

Can anybody point me to the right direction?

iplaywithtoys · February 27, 2021, 4:49pm

It looks like DNS IPSET depends on dnsmasq so, to get DNS IPSET to work with unbound, I reckon you'll probably have to configure dnsmasq to use unbound as its upstream resolver.

I use Pi-hole (based on dnsmasq) and unbound together on the same device. I used https://docs.pi-hole.net/guides/dns/unbound/ to help me configure it. While that guide is intended for Pi-hole, remember that Pi-hole is just a fancy front end to dnsmasq.

In a nutshell, unbound is the upstream resolver for Pi-hole/dnsmasq. Following that configuration guide, it listens on port 5335 which means dnsmasq has to talk to 127.0.0.1#5335 for upstream resolution. By default unbound listens on port 53 which would conflict with dnsmasq, hence the need to configure unbound to use a different port.

AcidSlide · February 27, 2021, 4:57pm

Ok.. so totally moving to a full unbound for DNS won't work? I was thinking of just using dnsmasq for the dhcp

thanks.. i guess i'll stay with dnsmasq for a while longer unless there is a way to make DNS IPSET work with unbound directly

vgaetera · February 27, 2021, 5:11pm

It seems that Unbound provides built-in IP set support.
But it is missing in 19.07 and enabled only in 21.02/master.

Another option is to set up Unbound forward zone to the ipset-dns resolver:

github.com

openwrt/packages/blob/master/net/unbound/files/unbound.uci#L51-L58


config zone 'fwd_isp'
	# forward ISP account management to DHCP announced DNS servers
	option enabled '0'
	option fallback '1'
	option resolv_conf '1'
	option zone_type 'forward_zone'
	list zone_name 'isp-bill.example.com.'
	list zone_name 'isp-mail.example.net.'

iplaywithtoys · February 27, 2021, 5:16pm

I just found an Issue on GitHub which suggests that this is intentional: https://github.com/openwrt/packages/issues/13810

AcidSlide · February 27, 2021, 8:48pm

i've tried this route but I wasn't sure if I was doing it correctly since I can't find any documentation related to ipsets (although it was mentioned on the options, which was mentioned only once and nothing more)

AcidSlide · February 27, 2021, 10:01pm

Hmmm.. i think i've found the possible solution

in the IPSet DNS documentation, this is how the domains to be filtered are configured

# Configure domains to filter
uci add_list dhcp.@dnsmasq[0].server="/example.com/127.0.0.1#53001"
uci add_list dhcp.@dnsmasq[0].server="/example.net/127.0.0.1#53001"
uci commit dhcp
/etc/init.d/dnsmasq restart

And according the the README of unbound, you can define a similar setup like this:

  # this alternate server is fully specified inline
  list server '192.0.2.153@443#dns.alternate.example.org'

So combining the two, might work??

uci add_list unbound.forward.server='127.0.0.1@53001#example.com'
uci add_list unbound.forward.server='127.0.0.1@53001#example.net'
uci commit unbound
/etc/init.d/unbound restart

I haven't tried it yet.. probably in the next few days i'll get a chance to test it out.

iplaywithtoys · February 27, 2021, 10:03pm

Good luck!

AcidSlide · March 12, 2021, 10:09pm

Just an update.. i can't make UNBOUND work with IPSET-DNS directly ahahahahaha.. back to the drawing board then