Overview
| Component | Value |
|---|---|
| Internal domain | maksonlee.com |
| DNS server IP | 10.0.128.4 (OPNsense LAN IP) |
| System DNS | 127.0.0.1 (loopback) |
| Forwarder | AWS DNS 10.0.0.2 |
| VPC CIDR | 10.0.0.0/16 |
| NS record | opnsense.maksonlee.com |
- Install and Enable BIND Plugin
- Go to:
System → Firmware → Plugins - Install:
os-bind - Reboot if needed
- Enable BIND in:
Services → BIND → Configuration→General→Enable BIND Daemon
- Configure Access Lists
- Go to: Services
→Bind→Configuration→ACLs - Click Add
Enabled: yes
Name: vpc_clients
Network List:10.0.0.0/16(VPC),127.0.0.1/32(loopback, for OPNsense itself) - Save
- Create Primary Zone
- Go to: Services
→Bind→Configuration→Primary Zones - Click Add Zone
Enabled: checked
Zone Name: maksonlee.com
Allow Query: vpc_clients
Mail Admin: admin.maksonlee.com
DNS Server: opnsense.maksonlee.com - Save
- Add Zone Records
- Go to: Services
→Bind→Configuration→Primary Zones - Select zone maksonlee.com and add following records
| Enabled | Zone | Name | Type | Value |
|---|---|---|---|---|
| Yes | maksonlee.com | app | A | 10.0.128.5 |
| Yes | maksonlee.com | opnsense | A | 10.0.128.4 |
| Yes | maksonlee.com | NS | opnsense |
- Save
- Configure BIND Global Settings
- Go to: Services
→Bind→Configuration→General - Set
Listen IPs: 10.0.128.4, 127.0.0.1
Listen Port: 53
DNS Forwarders: 10.0.0.2
Recursion: vpc_clients
Allow Query: vpc_clients - Save
- Set OPNsense System DNS
- Go to: System
→Settings→General - Set
DNS servers: 127.0.0.1
Allow DNS server list to be overridden by DHCP/PPP on WAN: unchecked
Do not use the local DNS service as a nameserver for this system: unchecked - Save
- Create and Associate AWS DHCP Option Set
- Go to: AWS Console
→VPC→DHCP Option Sets - Click Create DHCP option set
DHCP option set name: my
Domain name: maksonlee.com
Domain name servers: 10.0.128.4 - Save
- Go to: AWS Console
→VPC→Your VPCs - Select your VPC
→Actions→Edit DHCP options set - Choose your new set
→Save
- Apply DNS to Existing EC2s
Existing EC2s don’t auto-update DHCP, so just reboot:
sudo reboot
Check:
resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens5)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.0.128.4
DNS Servers: 10.0.128.4
DNS Domain: maksonlee.com
- Firewall Rules (if needed)
Go to: Firewall → Rules → LAN
Make sure there’s rule allowing:
| Source | Destination | Destination port range | Protocol | Action |
|---|---|---|---|---|
| 10.0.0.0/16 | 10.0.128.4 | 53 | TCP/UDP | Pass |
If you have “Default allow LAN to any” — you’re all good.
- Final Tests
dig app.maksonlee.com
dig google.com
Both internal and public names should resolve properly.