Hello,
I have my DNS TLS working as per: https://sahlitech.com/opnsense-setup-unbound-dns/
In those instructions (and other places) tell you to NOT put in DNS in the System > Settings > General area. BUT when I attempt to set up my DDNS I see this:
You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work.
Looks like my option is to enable the "allow DNS Server list to be overridden..." but I'm not exactly sure that this does/how it works/will impact the DoT setup? Do I need to exclude an interface?
As long as you dont tick "Enable Forwarding mode" in Unbound configuration, Unbound should only use your DoT forwarders explicitly given in "Custom Configuration" and you *may* enter DNS servers under "System -> General" without Unbound using them.
All your clients will be using DoT secured DNS then.
The OPNSense gateway itself *may* fall back to using unsecured DNS as /etc/resolv.conf contains 127.0.0.1 as well as the servers from "System General"
root@gw01:~ # cat /etc/resolv.conf
domain mydomain.local
nameserver 127.0.0.1
nameserver 9.9.9.9
nameserver 149.112.112.112
nameserver 2620:fe::fe
nameserver 2620:fe::9
Thats the configuration I'am using :)
It would be a nice feature, if one could enter the DNS Servers under "System -> General" in "DoT" Syntax
9.9.9.9@853#dns9.quad9.net
Thank you for the info! Is there any way of knowing (get a notice) when the gateway falls back to an unsecured DNS?
As already mentioned "unsecure DNS" should only happen on the gateway itself, not on the clients with the given configuration.
I'm not that much of an expert on FreeBSD, but on Linux the list of DNS servers in /etc/resolv.conf is ordered.
That is, the first nameserver contacted will always be "127.0.0.1", which is Unbound (and therefore "secure").
Only if the query times out, the next nameserver will be queried.
If this is the same for FreeBSD (which I strongly suspect) "unsecure DNS" will only happen, if Unbound is for some reason not running or answering. If it is answering with NXDOMAIN (which will happen for "malware domains" using quad9.net as forwarder) this is a valid answer and no other nameserver should be contacted.
I think, there is no easy way for getting a notice for "unsecure DNS", but you can test yourself by searching for outgoing packets with destination port 53 in the firewall live log.
Quote from: Nnyan on April 06, 2021, 08:36:46 AM
BUT when I attempt to set up my DDNS I see this:
You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work.
That looks like a bug to me. I see no reason why the DynDNS plugin would require external DNS servers. This plugin is unfortunately notorious for having ancient unmaintained code.
What happens if you enter a DNS server in 'System: Settings: General', then configure DynDNS, then delete the DNS server? Does DynDNS keep working?
Cheers
Maurice
not sure what happened but I did a reboot for another unrelated reason and when I got back to this it was working.
I have a similar setup and some problems with automated Dynamic DNS Updates.
I found this thread because of the "You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work." message.
Thats my setup:
OPNsense 21.7.1-amd64
os-dyndns 1.24_2 (which is marked as misconfigured* under System: Firmware - Plugins)
unbound 1.13.1
My ISP provides dynmic IPs, so after each reconnect i get a new IPv4-Adress.
I configured DNS over TLS with unbound. These are the settings:
[General]
Enabled: Checked
Network Interfaces: All
DHCP-Registration: Checked
IPv6 Link-local: Checked
Local Zone Type: transparent
Outgoing Network Interfaces: All
Overrides 2
Advanced is untouched
Access Lists is untouched
Blocklist is enabled with some Adblockers
DNS over TLS 2 Servers added
I am using Dynamic DNS Service with following settings for each entry:
Enabled: Checked
Service Type: Cloudflare API token
Interface to Monitor: PPPoE WAN Interface
Hostname: mydyn.dns.com
Verbose logging: unchecked
Password: *cloudflare pass*
TTL: 1
Descryption: Some text
To make sure, that DNS cant be used by a client with static DNS-servers, i also blocked outgoing IPv4+6 TCP/UDP Port 53 on the WAN-interface.
Today, i had a reconnect of the WAN-connection, so the PPPoE-IP changed but the Dynamic DNS Service didnt updated the DNS records (wasnt able to connect a roadwarrior-client to my VPN). The interesting thing was, that the cached IP which is displayed under Services - Dynamic DNS were colored red, so i think the Dynamic DNS Service recognized that the WAN interface had a new ip, but dindnt updated it automatically. I had to do a force update / restart of the DynDNS-service to update my dyndns records.
I recognized some similar problems in the past with my site 2 site VPN-setup.
So, i dont know why Dynamic DNS didnt updated the DNS records.