$_ BSDHowTo.ch
How To... Why not..? Scripts Patches RSS logo

How to provide DNS for VMs using unwind(8)

Last update: 2020-05-17

Introduction

In this post I show you how you can leverage unwind(8) to provide a central DNS cache for the VMs on your OpenBSD host running vmm(4)/vmd(8).

Why use unwind(8) for VMs?

You may find this useful if you run VMs on hosts with changing IP config, like your laptop. And it makes the installation of new VMs a bit easier, especially if you use the option NAT for the VMs. The rest of this post presumes that your uplink NIC is configured using DHCP and that you use NAT for the VMs as described in the FAQ.

Rules for pf(4)

You should first create the two new rules that are required in pf.conf(5):

vm_net="100.64.0.0/10"

# Redirect DNS packets from VMs to unwind(8)
pass in proto { tcp udp } from $vm_net to any port domain \
    rdr-to localhost port domain

# Perform NAT for the VMs
match out on egress from $vm_net to any nat-to (egress)

Do not load the new rules yet. You will do this when the rest of the configuration is done.

Enable and start unwind(8)

The steps to enable and start unwind(8) follow the usual schema under OpenBSD:

$ doas rcctl enable unwind
$ doas rcctl start unwind
unwind(ok)

Now you must decide if you want to use unwind(8) for the VMs only or if you want to use it for the host too. If you choose the second option you must add the following line to dhclient.conf(5):

supersede domain-name-servers 127.0.0.1;

This line makes sure that the first nameserver entry in resolv.conf(5) points to 127.0.0.1. That is the IP unwind(8) is listening on.

Enable the new settings

Test the rules in /etc/pf.conf and load them into pf(4) if no error is found:

$ doas pfctl -nf /etc/pf.conf
$ doas pfctl -f /etc/pf.conf

If you want to use unwind(8) for your host system too you must enter the following line in /etc/resolv.conf:

nameserver 127.0.0.1

Make sure you comment out or delete any other line starting with nameserver.

Test the new setup

Start up one of your VMs or create a new one. As soon as it is ready check /etc/resolv.conf in the VM. It should look similar:

# Generated by vio0 dhclient
search example.net
nameserver 100.64.1.2
nameserver 100.64.1.2
lookup file bind

To actually test the new setup try to lookup a hostname using host(1):

$ host www.bsdhowto.ch
www.bsdhowto.ch has address 46.23.92.87

If you get the correct IP address your setup is working.