Unbound does not resolve local IP addresses


#1

nslookup on the pihole of a system inside my network but with external name (e.g. pihole.domain.tld) does not resolve to any IP address, if Unbound is used as forwarder, meanwhile changing the forwarder to another internal DNS server, IP get resolved to e.g. 192.168.0.15

So with 127.0.0.1#5353 google.com, test.com etc. is fine, but pihole.domain.tld gets no answer, with 192.168.0.55#53 which is another DNS server (on a synology without any zone files, just like Unbound on the Pihole) pihole.domain.tld is resolved to 192.168.0.1.15 as it should be.

Why?


#2

This sounds like an unbound issue, not a Pi-hole issue.


#3

This is the unbound documentation for configuration that may provide the answer you seek: https://nlnetlabs.nl/documentation/unbound/unbound.conf/


#4

Found the solution. Your recommended configuration contains

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

and that’s the reason, why I don’t get the answer, I expect. However, I’m unsure, why this setting is been done/recommended, but if removing, everything looks fine.


#5

Because those addresses should not be sent to the upstream server because normally they are public servers that don’t know your internal addresses.

Internal domains can also be defined hard in Unbound.

local-zone: "pihole.domain.tld" redirect
local-data: "pihole.domain.tld A 192.168.x.x"

If your router/firewall support Hairpin NAT then you use the external address and that replaced by you internal address. This is best solution but your router has to support that.

It is not common to put internal addresses in public servers which could lead to security risks.


#6

It’s my own domain name and it has as well public and internal addresses, e.g. www.domain.tld is pointing to a public address, meanwhile pihole.domain.tld points to an internal IP address. It’s easier to manage that at just one point and I’m no fan of (what may work as well) internal names just internal like pihole.local, also in a VPN environment it’s much harder, if that will resolve correct.

I know about DNS split, but the systems are really only available internally and as it’s a private setup, I try to keep it simple. Additional I like to use only one wildcard ssl certificate for all of them, so working with another or internal name would not be the best solution, so just split DNS would work for me, but would require to manage two zone files at two places.