OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: votan on March 16, 2020, 03:54:49 pm
-
Hello,
I upgraded from 19.7 to 20.1 - in general, the OPNsense works.
With a frequency of 4-5 times a day, I get a DNS problem that I cannot nail down - can you please help:
- Clients in the netwoork cannot resolve DNS anymore when this happens, e.g. I cannot open google.de in the web browser, or ping google.de.
"dig google.de" is not showing me any IP address then.
- If I go to "Interfaces-Diagnostics-DNS Lookup" on the OPNsense GUI, and then enter "google.de" there, I do get
a result, but it takes very long (roughly one minut) until I get a result. The DNS request are reported to take only 20-40ms, so it looks like this is a problem within OPNsense, not upstream
- RE-starting Unbound does not solve the problem
- Re-starting whole of OPNsense does solve the problem, but only for a short amount of time
- htop on OPNsense is not showing me any process that could be a problem / that would be stale
Any idea what could cause the problem, what could be a solution of how I even could nail it down?
Appreciate your help,
votan
-
Hi
I'm having the same issue with DNS.
I did now upgrade to 20.1.3.
will update if it got better.
-
have you changed any settings in Unbound by default it uses ROOT DNS servers.
You could change it to upstream to CloudFlare or Google, add this to the advanced bit
server:
forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 8.8.8.8
-
I had problems with Cloudflare DNS the last few weeks, along with various other people on Twitter at the same time, switching to Google resolved it for me.
I couldn't resolve things like Google, Twitter, various random sites.
-
I'm already running with Cloudflare DNS + DoT over a year without any issues.
That is my config:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
I didn't try to switching to Google.
-
Hi,
Unbound doesn't perform the verification of the server certificate by itself. You have to configure ist to prevent MiM.
server: tls-cert-bundle: "/etc/ssl/cert.pem"
forward-addr: 1.1.1.1#cloudflare-dns.com
This should be fine for cloudflare.
Source for other DNS Servers supporting DoT (DoH)
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers)
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c9 (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c9)
-
Tnx Mks. i will try that.
but what about the DNS issues that started after over a year without problems.
-
Same issue here... since update.. Some Clients (e.g. NAS) is not longer able to resolve via unbound dns running on OPNSense...
-
Anyone on the DNS issues?
-
I'm having DNS issues as well using unbound in forwarding mode (DNS servers configured in general settings as well as in the unbound advanced options with the settings posted by y2kw).
Switched to DNSMASQ now, but do still have the "slowness" on some devices.
-
Hi,
now that you said. I experienced partly also some "small" issues.
Error from the log:
info: error sending query to auth server
error: outgoing tcp: connect: Address already in use for
error: tcp connect: Operation timed out for
Im using DoT with certificate validation, but this seems not be the problem.
br
-
Could it be somehow related to certificate providers?
Noted that I have the Http connections to ocsp domains (in my understanding used for the TLS handshake to validate certificates) in the proxy log.
Tracert and ping e.g. to godaddy or digicert is slow currently. Dont know if there are some general problems slowing down requests?
-
Has anyone figured out, why clients (based on linux) has issues to resolve names since last update of opnsense, and windows machines not?
My NAS and Ubiquity Controler are not able to resolve adresses anymore, using opnsense as DNS and Gateway.
-
Tnx Mks. i will try that.
but what about the DNS issues that started after over a year without problems.
Does this go into the same section as where I specified the TLS info?
-
Hi, I just upgraded two routers to 20.1.6 and my DNS stopped working too.
My DNS Config:
ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 46.182.19.48@853
forward-addr: 146.185.167.43@853
If I delete this entries it is working again. See configuration screenshot.
This issue occurred after the upgrade on two OPNsenses with different ISPs and different hardware.
-
Just tried mine with the forwarders you are using and it failed straight away. These are mine and they work fine.
ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6
-
Hello,
thank you for that solution, your DNS Servers are working fine.
Why mine stopped working after the upgrade, I don't know...