Unbound with split VPN and local domain

Eric Luehrsen ericluehrsen at gmail.com
Sun Apr 14 16:21:24 UTC 2019 

On 4/14/19 8:00 AM, A. Schulze via Unbound-users wrote:
> 
> 
> Am 14.04.19 um 12:43 schrieb Herbert Meier via Unbound-users:
>> Dear experts,
>>
>> I would like to configure unbound for my setup but I am totally lost with the terminology and the settings. Here is my setup:
>>
>>    * I have a split VPN client runnging that forwards certain subnets to the VPN server and forwards *all* DNS request to the VPN server side (I guess all subdomains of myvpn.org <http://myvpn.org> should be answered by the DNS on the VPN server side)
>>    * I have a local router with domain "lan"
>>    * I would like to use my ISPs DNS but do caching myself (not sure if the router does it)
>>
>> How could I make all this work, i.e.,
>>
>>    * Forward all DNS request for *.myvpn.org <http://myvpn.org> through VPN
>>    * Query the route for for request *.lan
>>    * And use my ISPs DNS (via the router 192.168.178.1) for all other queries?
>>
>> Thanks so much for your help.
> 
> Hello Herbert,
> 
> assuming VPN-Server side an router act as authoritative nameserver you may try this:
> 
>      stub-zone:
> 	name: "myvpn.org."
> 	stub-addr: <ip-address of your DNS on the VPN server side>
>      stub-zone:
> 	name: "lan."
> 	stub-addr: <local router's ip address>
>      forward-zone:
> 	name: "."
> 	forward-addr: <ip address of your ISP's resolver>
> 
> You may replace a stub-zones with a forward-zones
> 
> Andreas
> 

Your router is likely running dnsmasq so "forward-zone:" probably in order to "lan." Also don't forget about the reverse 
IP zones. Otherwise you will leak your VPN IP. I am assuming addresses to make the example clear. Also side note, I 
would guess OpenWrt with fake domain "lan." You might install Unbound and a VPN client on your home router.

stub-zone:
	# split VPN
	name: "myvpn.org."
	stub-addr: 192.0.2.1
	stub-addr: 2001:db8::1

stub-zone:
	# split VPN
	name: "2.0.192.in-addr.arpa."
	stub-addr: 192.0.2.1
	stub-addr: 2001:db8::1

stub-zone:
	# split VPN
	name: "8.b.d.0.1.0.0.2.ip6.arpa."
	stub-addr: 192.0.2.1
	stub-addr: 2001:db8::1

forward-zone:
	# home router
	name: "lan."
	forward-addr: 10.10.0.1
	forward-addr: fd00:0a0a::1

forward-zone:
	# home router
	name: "0.10.10.in-addr.arpa."
	forward-addr: 10.10.0.1
	forward-addr: fd00:0a0a::1

forward-zone:
	# home router
	name: "a.0.a.0.0.0.d.f.ip6.arpa."
	forward-addr: 10.10.0.1
	forward-addr: fd00:0a0a::1

forward-zone:
	# protect your universe look ups with TLS
	# ISP have been suspected of data mining customers
	name "."
	forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
	forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
	forward-first: no
	forward-tls-upstream: yes

# forward-zone:
	# home router will likely know ISP DNS server from DHCP
	# so forward to it and no maintenance if ISP changes
	# name: "."
	# forward-addr: 10.10.0.1
	# forward-addr: fd00:0a0a::1

More information about the Unbound-users mailing list