Hello again!
Have unbound configured as DNS-over-TLS resolver, according to these settings
https://forum.opnsense.org/index.php?topic=21153.msg98895#msg98895
All traffic on port 53 is only allowed to opnsense.
On a linux client I have:
cat /etc/resolv.conf
# This file was generated by wg-quick(8) for use with
# the WireGuard interface wg0. It cannot be
# removed or altered directly. You may remove this file
# by running `wg-quick down wg0', or if that
# poses problems, run `umount /etc/resolv.conf'.
nameserver 10.10.10.1
where 10.10.10.1 is the opnsense.
OK, if I try to resolve openwall.com I get on this machine
ping openwall.com
ping: socket: Address family not supported by protocol
PING openwall.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.047 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.048 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.045 ms
^C
--- openwall.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4095ms
rtt min/avg/max/mdev = 0.041/0.045/0.048/0.002 ms
Who resolves openwall.com as localhost in this setup?!?!?
Same on other networks of the opnsense. A pfsense (2.5.1) using the same DNS-over-TLS servers resolves openwall.com correctly (I can copy the IP to the browser and get the correct page).
I'm a little confused...
Found it!
Believe it or not, openwall.com is on one of these DNS block lists activated (see attached), after disabling the DNS block lists, it resolves just fine...
Unbelievable.