OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: JL on December 31, 2022, 03:39:58 pm
-
While on older opnsense the 'intrusion detection service' frequently crashed, after the upgrade to 22.7 there are new issues, now it are the DNS services crashing ... which worked fine with older opnsense releases.
There are no apparent log entries indicating the reasons why for the DNS service crashes, using unbound+dnscrypt+bind
To my surprise all three service go down simultaneously. As I've noticed at least one succesful (likely) DNS spoofing attempt I'm not confident these crashes are benign.
-
If DNScrypt is a must, use the latest version in a docker container. The one in OPNsense is quite old, unsure where the issue is there but I wouldn't use it on the internet until it is upgraded to current.
Bind -- zone management on the FW wouldn't be my first choice.
For anything else Unbound is more than fit for the job, and latest version as well.
Removing one or two if possible from the chain would help you narrow down the DNS issues.
-
If DNScrypt is a must, use the latest version in a docker container. The one in OPNsense is quite old, unsure where the issue is there but I wouldn't use it on the internet until it is upgraded to current.
Bind -- zone management on the FW wouldn't be my first choice.
For anything else Unbound is more than fit for the job, and latest version as well.
Removing one or two if possible from the chain would help you narrow down the DNS issues.
Thanks, to me these are DoS issues caused by unknown origin.
It is interesting you mention dnscrypt is outdated, i'll check, thanks. Personally, i stay away from Docker, don't like it for no tangible reason. It is bad IT to me.
I disagree Unbound is adequate, it is not a very stable service.
I disagree running zone mgmt on a firewall should not be first choice, if a firewall cannot stay up or stay intact, little use for it.
-
Logically I would not expect two different DNS servers to work at that same time on that same server/firewall but I haven't tried it on OPNSense. I would expect DNSCrypt and one DNS server to work.
Unbound was crashing on its own for me so I had to turn that off and use other DNS servers.
Clearly it would be nice if this got fixed but I have no delusions of having all services on my firewall.
Having two other DNS servers (or one if that works for you) your firewall uses works just fine for now.
It does not block OPNSense use.