OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: mush2020 on January 16, 2022, 09:48:16 am
-
I'm getting lost in forum by searching for how should be DNS configured for the first time Opnsense is up and running.
If Unbound plugin is installed then what should be the correct configuration in Opnsense and Unbound.
I have ISP router with CGNAT
Opnsense WAN port (igb1) is set to DHCP
Opnsense LAN port (igb0) is only used for managing Opnsense (SSH,GUI,etc)
Opnsense (igb2) Wifi port is connected to Wifi-Router/AP- Here Opnsense leases IPv4 addresses to wifi clients
With this setup,
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
3. Should enforce safe search
4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)
I'm not sure what is the correct configuration if i want to use only Opnsense with my ISP router as DNS
What is the correct configuration if i want to use Opnsense + Unbound Plugin with DNS filtering.
I have read many post and tutorials its all confusing with DNS configuration.
I'm trying AdGuard that is not working as given in few tutorials and forum member's working setups.
Anyone could point to right direction would be appreciated.
-
You're right, there is a lot of information, which is a good thing, but it takes some reading. There will be more than one way of achieving what you want. All of them are correct. Everyone has a slighthly different setup/requirement combo.
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
Search on the tutorials section. There you want to use rules to force a redirection for port 53. DoT or DoH are additional cases.
2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
You could achieve it by using an upstream free resolver like cloudflare that provides filtered dns servers. In this case it can be put in Unbound settings directly.
3. Should enforce safe search
Similar to 2 but I'm not entirely sure. Pihole/ADGuard might help here.
4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)
This is in Services > Unbound DNS > General. "DHCP Static Mappings" read the tooltip help.
But the router can't force a client from changing their mac. Needs doing at the device. But you can try to force the hand of the device owners by for instance allowing dhcp by whitelisting mac. Services > DHCPv4 > "deny unknown clients", that sort of thing. There are some threads I think in General in the forum.
-
@cookiemonster Thanks for your response.
I've gone through some of the tutorials and posts to understand the configuration for DNS+Unbound+Adguard
So i have Unbound (5353) with NAT Port Forward Rule(see attached).
In System-General- No DNS set(see attached)
DNS over TLS- Using Cleanbrowsing(see attached)
Adguard- configuration not complete as i want to understand how that works and get right configuration.
One concern is about NAT Port Forward Filter rule association (see attached) what should be the selection and why?
I need to understand DNS request/response flow when ISP Router+ Opnsense+ Unbound + Adguard + Wireless AP involved
If my host either on LAN and/or Wifi requests for google.com How is request flows and who responds?
If badsite.com requested how the DNS request/response flow works?
What about Opnsense WAN Interface? do WAN also uses DNS. Im not sure how many Opnsense interfaces involve in DNS traffic in/out?
-
You can pretty much accomplish everything you want with an Unbound redirect to AdGuard plugin. That's the setup I have (with a Unifi switch/AP downstream) and it works great.
Initially I used Unbound strictly with a selection of blocklists, but I found my use case changed as my kids got older and I wanted better control. Adguard does that for me and I've even setup a Wireguard tunnel back to home....which they haven't yet figured out...lol.
Either way, check around (I think Reddit has some good tutorials on Adguard/Unbound setup)....
-
@Superduke, Thanks for your input. I did not get your use case for having Wireguard.
I believe WG is again similar to OpenVPN. Is there any added benefits for DNS and Web filtering by using WG?
I can't get AGH working properly for parental control and threat protection.
I'm not sure where is the issue, as soon as I enable 2 web safe browsing options, Internet stops(DNS Timed Out).
I could not get any indication from Unbound logs or FW logs yet.
Not sure if anyone using Unbound+AGH has faced such issue.
-
I use AGH also and really love it (before I used pihole).
My setting of NAT IP is not 127.0.0.1 but I use the OpnsenseIP, in my case 192.168.1.1
In AGH DNS setting As upstream DNS servers:
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query
parallel requests
bootstrap dns servers
192.168.1.1:5353
private reverse dns servers
192.168.1.1:5353
-
@RamSense, thanks.
I tried changing NAT from 127.0.0.1 to WiFi interface IP. But what should be selected for Filter Rule Association under NAT rule, by default if there is no description it shows Rule. If description added then it shows the description. Should it be default or Pass or None?
I tested AGH again after adding WiFi interface IP and enable
browsing security web services
parental control web services
No more Internet (connected host shows DNS request timed out)
For now i cannot use these AGH 2 protection options.
Additionally i checked if WiFi host DNS is modified to DNS provider like 1.1.1.1
Then host can use this DNS instead of getting blocked and DNS requests are successful.
I then changed to 127.0.0.1 in WiFi interface NAT rule as before then host with DNS provider IP address cannot have internet. NAT rule working as needed.
Can anyone help here to trace and fix the issue.
-
Any reason why you have those port forward rules in place? You shouldn't need them afaik.
I have DNS static mapping also set via the Unbound GUI as well as DHCP lease registration. Apart from that, an the listening port change from 53 to whatever (5353 in your case) there isn't anything else to change in OPNSense I believe.
In the AGH interface, you need to put in your OPNSense IP:Listening Port in both of upstream and bootstrap.
That should pretty well be it.
-
@Superduke, Thanks for your input. I did not get your use case for having Wireguard.
I believe WG is again similar to OpenVPN. Is there any added benefits for DNS and Web filtering by using WG?
I can't get AGH working properly for parental control and threat protection.
I'm not sure where is the issue, as soon as I enable 2 web safe browsing options, Internet stops(DNS Timed Out).
I could not get any indication from Unbound logs or FW logs yet.
Not sure if anyone using Unbound+AGH has faced such issue.
WG itself isn't filtering anything of course. It's just a secure tunnel back to my OPNSense/AGH box....which then performs the blocking/filtering. So basically I have my kids' devices route all of their traffic back through WG to home so the safe search and safe browsing settings are applied to them....just like if they were at home on the WIFI.
-
As per some of the tutorials for redirecting DNS, i had these NAT port forward rules.
If i disable on specific interface NAT rule then with any manual DNS IPs request are passing through, else with the rule i could see in Firewall RDR log which host is using which DNS IP, any how manual DNS IPs requests are timed out.
Rest for AGH i have done most of the configuration as you mentioned and from tutorials.
AGH still does not work with protection features enabled.
Is there any specific DNS configuration i might be missing in Opnsense or Unbound or AGH?
-
If you want to use Cloudflare or other providers for DNS, you can set that up in Unbound using DoT with no port forwarding at all.....not sure why the tutorials say to do so....
-
In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)
If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org
As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.
Any of my setting could be DNS issue for AGH protection settings?
-
In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)
If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org
As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.
Any of my setting could be DNS issue for AGH protection settings?
Do you wish to use AGH in this setup? If yes, then 853 and your DNS service need to be setup in AGH not Unbound. If you are using Unbound then yes of course you need to set that up.
-
In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)
If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org
As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.
Any of my setting could be DNS issue for AGH protection settings?
Honestly, everything you want is in AGH.....no need for Cleanbrowsing DNS really....and you can even set up a per client override....and use whatever blocklists you want...although pretty well all of the best stock ones are built-in.
-
In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)
If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org
As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.
Any of my setting could be DNS issue for AGH protection settings?
Just a thought....but do you have the DNS namesservers setup under General settings? And then have the DNS Query Forwarding checked in Unbound?
-
Do you wish to use AGH in this setup? If yes, then 853 and your DNS service need to be setup in AGH not Unbound. If you are using Unbound then yes of course you need to set that up.
[/quote]
I want to use Unbound + AGH.
In AGH
upstream DNS servers
192.168.50.254:5353(Opnsense LAN)
192.168.10.254:5353 (Wifi Interface)
parallel requests
bootstrap dns servers
192.168.50.254:5353(Opnsense LAN )
192.168.10.254:5353 (Wifi Interface)
private reverse dns servers
192.168.10.254:5353 (Wifi Interface)
192.168.50.254:5353(Opnsense LAN )
The only issue i have now is DNS not working if AGH protection enabled.
Any further troubleshooting lead?
-
Your query is it for Opnsense or Unbound or AGH setting. I will have look
By the way in Opnsense i have setup hostname and domain
In Unbound DNS Query Forwarding is unchecked
-
I'm sorry, i got your point. There are no nameservers added in Opnsense System|Settings|General.
As i wanted to use Unbound as resolver.
Also these are unchecked
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the local DNS service as a nameserver for this system
In Unbound this is unchecked
Enable Forwarding Mode
-
Ok, I think I know what you want now. Just to summarize...you want Unbound to do your resolving locally on your OPNSense server and use AGH as a blockfilter....that's what I have by the way.
If that's the case, then
1) There is no reason to have NAT port forwarding or special rules set.
2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)
3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.
Did you try the test button in AGH?
Also...did you try different configs of safe search and secure web service being checked and unchecked? Try both unchecked first and see if that helps.
Another thing to look at is if you also have Suricata running....shouldn't matter but try disabling that too to see if it might be blocking something unnecessarily.
Do you wish to use AGH in this setup? If yes, then 853 and your DNS service need to be setup in AGH not Unbound. If you are using Unbound then yes of course you need to set that up.
I want to use Unbound + AGH.
In AGH
upstream DNS servers
192.168.50.254:5353(Opnsense LAN)
192.168.10.254:5353 (Wifi Interface)
parallel requests
bootstrap dns servers
192.168.50.254:5353(Opnsense LAN )
192.168.10.254:5353 (Wifi Interface)
private reverse dns servers
192.168.10.254:5353 (Wifi Interface)
192.168.50.254:5353(Opnsense LAN )
The only issue i have now is DNS not working if AGH protection enabled.
Any further troubleshooting lead?
[/quote]
-
1) There is no reason to have NAT port forwarding or special rules set.
I will test all the NAT rules later if AGH is working. I hope no host will use their own DNS addresses.
2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)
I will test with new port, but I'm sure i'm not using 5353 elsewhere.
3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.
WiFi is not VLAN. its physcially connected from Opnsense to WiFi AP port (see attached)
Did you try the test button in AGH?
Yes all tests are successful
Also...did you try different configs of safe search and secure web service being checked and unchecked? Try both unchecked first and see if that helps.
See attached AGH current settings. With these options checked all ok. As soon as i enable (highlighted in attachment) web service protection internet doesn't work. I have tried enabling both same time and each also.
IPS is disabled
Where are AGH logs to check why DNS requests are failing with these 2 web service features
-
Minor things but I have my upstream DNS server set to load balance....
And I don't have any address in the private reverse DNS lookup box; although you putting your OPNsense IP shouldn't matter....
this is weird.....sorry I can't help more....
-
Check this out....this is where I went to set mine up....
https://forum.opnsense.org/index.php?topic=22162.msg107450#msg107450
1) There is no reason to have NAT port forwarding or special rules set.
I will test all the NAT rules later if AGH is working. I hope no host will use their own DNS addresses.
2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)
I will test with new port, but I'm sure i'm not using 5353 elsewhere.
3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.
WiFi is not VLAN. its physcially connected from Opnsense to WiFi AP port (see attached)
Did you try the test button in AGH?
Yes all tests are successful
Also...did you try different configs of safe search and secure web service being checked and unchecked? Try both unchecked first and see if that helps.
See attached AGH current settings. With these options checked all ok. As soon as i enable (highlighted in attachment) web service protection internet doesn't work. I have tried enabling both same time and each also.
IPS is disabled
Where are AGH logs to check why DNS requests are failing with these 2 web service features
-
Thanks for assisting.
I've gone through the shared post.
Everything looks ok as per setup guide.
But I haven't come across anyone reporting the web service protection issue which i'm facing.
Is AGH all features are free or is there anything to do with commercials
Where i can share this issue, if there is no further help from Opnsense forum.
-
I didn't get to see the activity. Are you up and running now?
I don't use web service protection in AGH but from a quick online search scan it might need to communicate with an adguard domain to work. I don't believe it needs to be paid for. How is that is not working?
We could maybe help by pointing where to look but otherwise maybe a question for the AGH people.
-
Yes I'm working now.
I'm confused is it i need to add AGH DNS DOT IPs in Unbound DNS over TLS or in AGH DNS Upstream.
Right now working settings are
In Unbound i have added Cleanbrowsing IPs over 853
In AGH Upstream I have added Opnsense IP over 8383
I just tried to test y enabling parental control and safe browsing. Internet stopped working.
I unchecked, Internet is working.
From AGH yaml current config.
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: true
safebrowsing_enabled: false
-
Without trying to sound condescending, it's easier to follow the flow with ip:port. What ip:port is entered in an app/sytem setting, is where the traffic is going to unless you are configuring the service listening. Port 53 is plain dns ie. unencrypted. Protocol is normally udp but can be tcp. Put that aside for now.
Port 853 has been designated for DoT so it is expected to be encrypted with TLS, so it needs a successful TLS setup, certificates, etc. Put that aside for now next to the port 53 info.
So you can start building your answer.
I'm confused is it i need to add AGH DNS DOT IPs in Unbound DNS over TLS or in AGH DNS Upstream.
Right now working settings are
In Unbound i have added Cleanbrowsing IPs over 853
In AGH Upstream I have added Opnsense IP over 8383
On the working settings Unbound is sending DoT traffic to Cleanbrowsing (whatever that is) on the correct port.
AGH is sending the traffic to OPN on port 8383. So the flow looks like this:
client (?) --> AGH (port?) --> Unbound-OPN:8383 --> cleanbrowsing:853
Makes sense?
-
I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....
-
@cookiemonstor thanks,
Here is my Adguard yaml file.
I have just removed password string and modified domain name.
This working config. You will see that below
parental_enabled: false
safesearch_enabled: true
safebrowsing_enabled: false
No issues with Internet. The issue occurs if either of is true parental_enabled and/or safebrowsing_enabled.
So i'm trying to understand is it related to Undbound DNS over TLS or is it as you mentioned IP:Port used in AGH, but below its 53 for DNS and In Unbound i have set to 8383
Is there any AGH port issue or Unbound Issue
bind_host: 0.0.0.0
bind_port: 8443
beta_bind_port: 0
users:
- name: root
password: ----Removed------
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
bind_hosts:
- 0.0.0.0
port: 53
statistics_interval: 30
querylog_enabled: true
querylog_file_enabled: true
querylog_interval: 720h
querylog_size_memory: 1000
anonymize_client_ip: false
protection_enabled: true
blocking_mode: default
blocking_ipv4: ""
blocking_ipv6: ""
blocked_response_ttl: 10
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
ratelimit: 20
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- 192.168.50.254:8383
upstream_dns_file: ""
bootstrap_dns:
- 192.168.50.254:8383
all_servers: true
fastest_addr: false
fastest_timeout: 1s
allowed_clients: []
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 4194304
cache_ttl_min: 0
cache_ttl_max: 0
cache_optimistic: false
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: false
edns_client_subnet: false
max_goroutines: 300
ipset: []
filtering_enabled: true
filters_update_interval: 24
parental_enabled: false
safesearch_enabled: true
safebrowsing_enabled: false
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
rewrites: []
blocked_services:
- 9gag
upstream_timeout: 10s
local_domain_name: mydomain.com
resolve_clients: true
use_private_ptr_resolvers: true
local_ptr_upstreams:
- 192.168.50.254:8383
tls:
enabled: true
server_name: fw.mydomain.com
force_https: true
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 784
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
strict_sni_check: false
certificate_chain: ""
private_key: ""
certificate_path: /var/etc/acme-client/home/fw.mydomain.com/fullchain.cer
private_key_path: /var/etc/acme-client/home/fw.mydomain.com/fw.mydomain.com.key
filters:
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1
- enabled: true
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 2
whitelist_filters: []
user_rules:
- ' - https://hosts.netlify.app/Pro/adblock.txt'
- ' - https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt'
- ' - https://block.energized.pro/ultimate/formats/hosts.txt'
- ' - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt'
- ' - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'
- ' - https://hosts.oisd.nl/'
- ""
dhcp:
enabled: false
interface_name: ""
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
clients: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: 12
-
I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....
What will be the settings if Unbound is disabled. No more DOT IP used i.e. cleanbrowsing
Opnsense +AGH only
In this case how Opnsense will forward the DNS request. There should be DNS server somewhere.
-
Apologies...I likely wasn't clear...you surely need a resolver of some kind...but Unbound with AGH gets you the resolving and blocking/filtering/control you want without cleanbrowsing in the loop....
And since both services are local to you, the whole DoT thing becomes irrelevant.
I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....
What will be the settings if Unbound is disabled. No more DOT IP used i.e. cleanbrowsing
Opnsense +AGH only
In this case how Opnsense will forward the DNS request. There should be DNS server somewhere.
-
Thanks again,
Now i'm testing by not using DOT in Unbound and let AGH handle.
So in AGH upsptream DNS server should i remove 192.168.50.254:8383 or add only DOT of my choice or both i.e.
tls://family.cloudflare-dns.com:853
192.168.50.254:8383
With dnsleak shows cloudflare as well as my ISP Why? or is it i have set it up wrongly.
Also i tested parental control enabled, again Internet down.
-
And here comes the browser settings into play again.
Let me guess, you used Firefox to test with dnsleak? Why I guess so? Firefox is using DoH. Standard for Firefox is to use cloudflare-dns.com aka 1.1.1.1 if you do not change the setting.
To force Firefox not to use DoH in the standard setting, just add the domain use-application-dns.net to the rewrites in AGH and point it to NXDOMAIN. If somebody sets the DoH manually and activates it, then Firefox will use DoH again.
In Chrome/Edge/Chromium the setting is called secure DNS. And these browsers ignore the use-application-dns.net trick. Chrome by the way uses the Goggle DNS servers obviously.
I set up my AGH to use the upstream servers via DoT/DoH directly. You can also use DoQ and DNScrypt here.
To get still all my local dns settings I added an upstream entry for my home domain. The entry has to look like the following: [/home.example.com/]192.168.50.254:8383. Then the Unbound will be used for lookups from home.example.com and the other servers for the rest.
KH
-
mush2020 I'm struggling to follow the flow you want to have. Draw a basic flow leaving the basics only and get them working before adding variables like parental controls, etc.
Is ADG installed on the OPN device (so ports need to not conflict) or different host. I'll show you mine:
dhcp clients --> AGH on OPN : 53 --> Unbound on OPN : 5353 --> Stubby on OPN : 853 --> DoT resolvers on internet.
There are settings on each part that matter but you see that dns queries from lan clients go without having to change them to AGH on normal port. They get their setting from OPN DHCPv4 service when they request an ip lease.
Then AGH receives them and blocks ad domains, what is good for, and I don't use parental controls there, I suggest to enable it only when the normal flow is working. AGH then sends the non-filtered queries upstream to Unbound on a different port because they're on the same machine. Then Unbound sends them upstream to a stub resolver for DoT that is configured with the resolvers I want it to use and operate on DoT on port 853.
You don't have to use Stubby, so your last bit of configuration is on Unbound. There you could define your DoT resolvers and your flow is complete.
As KHE said this is "normal" DNS traffic on port 53. To deal with the rest like clients not respecting normal dns on port 53, is step 2. Be aware there are two cases: DoT and DoH depending on the client (machine making the outbound request). Different approach and DoH is something we might have to live with for the moment.
-
Is ADG installed on the OPN device (so ports need to not conflict) or different host. I'll show you mine:
dhcp clients --> AGH on OPN : 53 --> Unbound on OPN : 5353 --> Stubby on OPN : 853 --> DoT resolvers on internet.
I have similar flow, except Stuby I have Unbound.
In Opnsense
System|Settings|Genernal DNS Servers are Blank
Uncheckd
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the local DNS service as a nameserver for this system
In Unbound
Listen Port:8383
Network Interfaces: All
Enable DNSSEC Support=Unchecked
Register DHCP leases=Checked
Register DHCP static mappings=Checked
DNS over TLS= Cleanbrowsing DOT over 853 added, but Disabled
In AGH
Listing port 53
Under Genernal Settings
Block domains using filters and host file=Checked
Use safe search=Checked
Under Upstream DNS servers
tls://dns-family.adguard.com:853
[/fw.mydomain.com/]192.168.50.254:8383
Parallel request=selected
Bootstrap DNS servers
192.168.50.254:8383
Private reverse DNS servers
Blank
use private rDNS resolver = Checked
enable reverse resolving of client's IP address=Checked
Under Setup Guide All these are listed
Configure your devices
To start using AdGuard Home, you need to configure your devices to use it.
AdGuard Home DNS server is listening on the following addresses:
192.168.50.254 (Opnsense LAN)
192.168.8.200 ( Opnsense WAN)
192.168.10.254 (Opnsense WiFi physical Interface connected to AP)
::1
127.0.0.1
https://fw.mydomain.com/dns-query
tls://fw.mydomain.com.com:853
quic://fw.mydomain.com.com:784
Under Encryption Setting
Enable Encrption=Checked with Cert Status Valid
With all these settings everything works fine.
Now the problem starts if i enable
Use Adguard browsing web service
Use Adguard parental control web service
Both or either enabled DNS request Timed Out occurs.
I cannot understand why these options enabled causing DNS issue.
-
I can't tell without knowing what I asked for like same machine or not, etc but from what you wrote I see this flow:
client --> AGH:53 --> external=adguard.com:853
internal=Unbound:8383 --> ?
what is unclear to me is where is Unbound looking for external resolvers to send the queries to.
Now the problem starts if i enable
Use Adguard browsing web service
Use Adguard parental control web service
Both or either enabled DNS request Timed Out occurs.
I can't tell but I can't tell how the basic flow is working at the moment either.
What does this do?
Under Upstream DNS servers
tls://dns-family.adguard.com:853
[/fw.mydomain.com/]192.168.50.254:8383
-
Hi,
I can't tell but I can't tell how the basic flow is working at the moment either.
What does this do?
Under Upstream DNS servers
tls://dns-family.adguard.com:853
[/fw.mydomain.com/]192.168.50.254:8383
[/fw.mydomain.com/]192.168.50.254:8383:
This tells AGH to send queries for *.fw.mydomain.com and fw.mydomain.com to unbound at 192.168.50.254:8383
and all other queries go to tls://dns-family.adguard.com:853.
Look here (https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#upstreams-for-domains) in the documentation wiki.
KH
-
thanks for that.
So still, where's Unbound sending the queries to?
this bit:
internal=Unbound:8383 --> ?
-
It depends on the setting of Enable Forwarding Mode in Services: Unbound DNS: General which we do not know.
If unchecked, nowhere. I am not sure if unbound starts whit that setting.
If checked to 127.0.0.1:53 which is in the resolve.conf so AGH. Not sure what happens in this case if you try to resolve a non-existing entry in the fw.mydomain.com.
KH
-
If Unbound is disabled completely then how DNS resolutions happen in Opnsense.
The only option i assume will work is having DNS entries in System|Settings|General
I will have to throw query to AG support or see in forum, if anyone has similar issue.
I want to know one think can AGH work without Unbound? if Yes then, what are the settings and ports to be used.
-
I have tried nslookup and got the following results. Basically i wanted to check if resolution is happening for domains that points to parent control and safe browsing feature.
As per result one of domains is Non-existent domain
Connected to ISP router Directly
PS C:\Users\user1> nslookup
Default Server: homerouter.cpe
Address: 192.168.8.1
> family-block.dns.adguard.com
Server: homerouter.cpe
Address: 192.168.8.1
Non-authoritative answer:
Name: family-block.dns.adguard.com
Address: 176.103.130.135
> standard-block.dns.adguard.com
Server: homerouter.cpe
Address: 192.168.8.1
Non-authoritative answer:
Name: standard-block.dns.adguard.com
Address: 176.103.130.133
> family-block.dns.adguard.com
Server: homerouter.cpe
Address: 192.168.8.1
Connected to WiFi via Opnsense
PS C:\Users\user1> nslookup
Default Server: fw.mydomain.com
Address: 192.168.10.254
> family-block.dns.adguard.com
Server: fw.mydomain.com
Address: 192.168.10.254
*** fw.mydomain.com can't find family-block.dns.adguard.com: Non-existent domain
> standard-block.dns.adguard.com
Server: fw.mydomain.com
Address: 192.168.10.254
Non-authoritative answer:
Name: standard-block.dns.adguard.com
Address: 176.103.130.133
-
Hi
If Unbound is disabled completely then how DNS resolutions happen in Opnsense.
The only option i assume will work is having DNS entries in System|Settings|General
Ok, still assuming AGH is running on port 53 and all interfaces then it is used, then AGH and all the others you added in System:Settings:General. If there are none, only AGH. If you look at your /etc/resolve.conf, then there is always the following entry:
nameserver 127.0.0.1
I will have to throw query to AG support or see in forum, if anyone has similar issue.
I want to know one think can AGH work without Unbound? if Yes then, what are the settings and ports to be used.
If you remove the unbound from the upstream, the only thing you loose is the access to the DHCP entries and overrides from unbound. If you have still configured the adguard DNS server as upstream.
For not being able to resolve, when the options in AGH are activated, the AG support & forum are the better places I think.
KH
-
I just did a clean re-install of AGH
Now settings are
In Opnsense
Added 127.0.0.1 with no GW in System | General | DNS Server
Unbound
Listen port is 53 (default)
Network Interfaces: All
Enable DNSSEC Support=Unchecked
Register DHCP leases=Checked
Register DHCP static mappings=Checked
DNS over TLS= Removed all
Custom Options:
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@5353
In AGH
Listing port:5353
Under General Settings
Block domains using filters and host file=Checked
Use safe search=Checked
Under Upstream DNS servers
tls://dns-family.adguard.com
Parallel request=selected
Bootstrap DNS servers
94.140.14.14
94.140.15.15
Private reverse DNS servers
Blank
use private rDNS resolver = Checked
enable reverse resolving of client's IP address=Checked
Under Encryption Setting
Enable Encrption=Checked with Cert Status Valid
With above setting I'm getting the same issue by enabling parental control.
Now in Top Clients i see only 127.0.0.1
What i need to do to see all the clients instead?
I could see clients with hostnames in Client Setting| Client Runtime, but not on dashboard.
-
Can anyone help here to see this github link below
https://github.com/AdguardTeam/AdGuardHome/issues/2657
I'm not sure what is the exact issue and how it has resolved as per github.
Can anyone forward to the developer of this AGH plugin for Opnsense