Unbound DNS: Ability to bind only to the local interface

[jon-stumpf]

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

I want to configure Unbound to use (i.e., bind to) only the local interface.

I am using NextDNS as my resolver (using the plugin, os-nextdns-community) and want Unbound to only be the authoritative server for my private zones. With this configuration, the NextDNS resolver sends client identifying information to NextDNS and allows me to use NextDNS analytics. Since Unbound is only used by NextDNS which is also on the firewall, I only need it available on the local interface.

Currently, the local interface is not presented as a select-able item in the "Network Interfaces" pull down. Rather, it is added to the subset of selected interfaces.

core/src/etc/inc/plugins.inc.d/unbound.inc

Line 176 in a4b5a81

$active_interfaces[] = 'lo0';

And, if I choose no interfaces, Unbound listens on all interfaces.

core/src/etc/inc/plugins.inc.d/unbound.inc

Line 196 in a4b5a81

$bindints .= "interface: 0.0.0.0\n";

Describe the solution you like

I would like the local interface to be added to the list of Network Interfaces on the Services -> Unbound DNS -> General settings page. This way, I can specifically chose whether or not Unbound listens on this interface.

Describe alternatives you considered

I am working around the issue by selecting one of my existing interfaces and setting the port to something other than 53. This provides Unbound on the local interface (as desired) but also on an additional interface I don't want it to use.

[AdSchellevis]

add a loopback (Interfaces: Other Types: Loopback), assign it with an address and listen on that?

[jon-stumpf]

Using a loopback still creates another interface and I will still have Unbound bound to two interfaces: 1) the local interface; and, 2) the loopback interface. This is slightly better as they would both be local to the firewall. But, I would prefer to use just the local interface that already exists.

[fichtner]

The thing with lo0 and Unbound is that we cannot add it to the list as people are going to deselect it and break their local resolution. So currently the select is modelled to always include lo0 (implicitly through 0.0.0.0/:: when deselecting all) and it has been working fine I think.

I'm personally not a fan of selecting Unbound interfaces to listen to, mostly because there are side effects like address changes we cannot easily account for in a router scenario and Unbound seems to be tailored to a single server service approach where in the best case addresses are static. Potentially we end up (re)starting Unbound every 5-10 minutes just because some DHCP address flaps or a tunnel goes down and up and Unbound needs a hard restart to take the new addresses... this all works fine in 0.0.0.0/:: so I'm unsure why adding more complexity that we cannot possibly accommodate with Unbound is a good idea (with listen addresses, ACLs and also in general). :)

BTW, you could also just add a disabled or management interface to that list. The effect is the same.

Cheers,
Franco

[jon-stumpf]

Thanks