Custom DNS entries on a UniFi USG
I decided to spring for a UniFi USG-3 to round out our shiny new network, and swapped it over after work a few days ago. For the most part, it’s been fairly trivial to get things running but there’s a couple of minor annoyances that took a while to get situated. First of all, with the USG acting as both DHCPd and DNS resolver, my ability to add custom entries to my local DNS zone is completely vaporized. Bummer!
Supposedly the USG/UniFi software is getting the ability to have full zone control (CNAMEs and all that good stuff) but who knows when that’ll get here, so I decided to roll up my sleeves and have a crack at the manual configuration overrides built into UniFi. Apparently all the configuration stuff is stored in JSON objects, and that’s how they’re provisioned over the network, and there’s a place you can drop them on the controller, where that JSON blob will be merged into the one it builds, before pushing the whole mess over to the device in question on a “provision”.
How to generate that file? It turns out it’s super easy: ssh to the USG, and issue: mca-ctrl -t dump-cfg > /home/fwaggle/config.json
then use scp
to copy this file someplace you can have a look at it.
The section we’re interested in is the “dns”:“forwarding” section. You have to wrap it in an outer set of braces, around a “service” block as well, so you end up with something like this:
{
"service": {
"dns": {
"forwarding": {
"cache-size": "10000",
"except-interface": [
"eth0"
],
"options": [
"ptr-record=1.0.0.10.in-addr.arpa,router",
"host-record=plex.home.fwaggle.org,10.0.0.254",
"host-record=nas.home.fwaggle.org,10.0.0.254"
]
}
},
}
}
(Note that you don’t want to save the whole existing configuration in the new json file, only the bits you want to override - the above is something similar to my exact, and complete, config.gateway.json
file)
A few of these were existing records, I left them in there, not sure if it’ll bite me in the arse later. I added a couple of new entries, saved the file in /opt/UniFi/data/sites/default
and forced a provision to the USG. Then I’m off and running!
The only downside is I’m missing out on the dual search-domain-suffixes I configured last time using DHCP, but that may be possible to put back using UniFi’s custom DHCP options. Since it doesn’t work for Windows hosts anyway, I’m not sure I’ll bother.
The best news? iperf3
reports ~980mbps same-vlan network performance, and about ~950mbps inter-vlan performance, so I can finally start thinking about firewall rules to seggregate the two networks.