Hi there,
been using OPNsense for about a month now, incredible stuff. Love it.
But I've been noticing an issue on reboots. I have the plugin AdGuard Home from mimugmail, and from the logs I'm noticing that Dynamic DNS is trying to update, but AdGuard hasn't started yet. So the DNS stuff isn't working, and obivously the Dynamic DNS isn't going to work. Plus about 7 other plugins never start until I manually turn on AdGuard. Then everything goes back to normal and the bootup completes.
Is there some kind of config I can edit or something to change the weight/boot order so AdGuard could be the top first things to load?
I have the same problem. Would be awesome to being able to solve this.
You can use the rc.syshook framework to load AdGuard in "early" stage, but in this case the network isn't set up yet and I don't have any idea what the (unofficial) plugin does or how AdGuard must be configured.
In particular, it would still be better to have an internal resolver like Dnsmasq or Unbound that is properly wired to provide the system with a way to resolve DNS during boot up and then rather use port forwards to capture DNS traffic from attached networks to funnel through AdGuard which uses the local service as a forward.
Cheers,
Franco
I would use Unbound listen to localhost only and System : Settings : General DNS Server empty so it uses unbound. AdGuardHome only listen to LAN address. Should work best
Thanks Mimugmail for your reply. I have a couple of questions:
1.
QuoteUnbound listen to localhost only
I can only select LAN, WAN, WG, So I select LAN or is there a custom field to being used?
2.
QuoteGeneral DNS Server empty
I have that empty already. Check.
3.
QuoteAdGuardHome only listen to LAN address.
Can I change this in my AdGuard Home settings when I have it already up and running? Can't find how to change it in the GUI.
Oh right, I'm sorry, I forgot to mention I am using Unbound. The way I have the paths going, is AdGuard on Port 53, then in the AdGuard Upstream DNS servers I point it to 127.0.0.1:5353 which is what Unbound is on.
Would maybe doing it the other way around or something fix this issue? Like Unbound is on 53, and AdGuard on 5353. Which I'm not sure how to forward the traffic of unbound to Adguard so it does the job in reverse (from the config I have now).
The easier way because it is all on UIs:
OPN:
Unbound
Listen port : 5353 for example
Network Interface : LAN + any other internal networks you want like OPT1
System > Settings > General:
DNS servers fields are empty.
Do not use the local DNS service as a nameserver for this system is ticked.
AdguardHome on OPN:
Upstream DNS servers: <OPN Listen IP>:5353
Bootstrap DNS servers : <OPN Listen IP>:5353
Private reverse DNS servers : <OPN Listen IP>:5353
That's my working setup up to Unbound and I deal with DoT differently from there. I have a very simple home setup.
What happens in this setup is my clients ask OPN via the IVP4 service for their DNS server to use.
OPN gives it's LAN ip to use. The clients then send DNS requests to OPN on port 53.
Those are received by Adguard because from vanilla setup it grabs port 53.
ADG then sends the queries upstream to Unbound on 5353.
Unbound then goes out to resolvers I've setup with DoT and you could use the built in functionality in the UI for that.
You could do it the other way around leaving Unbound on default 53 and change ADG to custom port modifying it's config file (no UI).
I think this is pretty much what the suggestion is. Basically system is using Unbound that is well wired into the booting sequence.
FormBurden, I see that is what you have setup. In that case maybe revise the settings in ADG.
I have it just like that and I don't see the same behaviour you do on DynamicDNS. Mine starts up without problem.
Or maybe it does and I haven't noticed it It might resolve later on a further attempt. I'll see if I spot anything in the logs.
Thanks for the info. I edited a few settings that were not the same to yours. So I'll see if that makes a difference, and update here.
thnx cookiemonster, I have changed some OPN settings and see if the booting works.
*update: rebooting not solved. I have to start adguard manually.
I am not familiair with rc.syshook. Does anybody know how to utilize this? What script, where, how for "use rc.syshook framework to load AdGuard in "early" stage"
Quote from: mimugmail on November 01, 2021, 04:58:17 PM
I would use Unbound listen to localhost only and System : Settings : General DNS Server empty so it uses unbound. AdGuardHome only listen to LAN address. Should work best
I have not found a way to set this up from GUI unfortunately. Otherwise, would be the "cleanest" IMHO.
Quote from: franco on November 01, 2021, 03:35:23 PM
In particular, it would still be better to have an internal resolver like Dnsmasq or Unbound that is properly wired to provide the system with a way to resolve DNS during boot up and then rather use port forwards to capture DNS traffic from attached networks to funnel through AdGuard which uses the local service as a forward.
For the time being I have a port forward but the other way round: DNS queries to port 53 _from_ the local firewall get forwarded to Unbound at 127.0.0.1:5553; anything else goes to adguard at 53 first (and Adguard then queries 127.0.0.1:5553).
Franco's reverse setup (unbound at 53, adguard at 5553, NAT port forward ensuring that all client traffic goes to adguard first) probably does not work easily as adguard, as per standard setup, listens on 53 (and you can't change it from GUI)?
You can change the port on initial setup or change in yaml file directly in /usr/local/AdGuard
https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#specifying-upstreams-for-rdns (https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#specifying-upstreams-for-rdns)
RamSense - Maybe I misunderstand your issue. Dynanic DNS works fine for me post-reboot (verified). I am with no-ip. The same setup as posted earlier.
We can have it this way i.e.
A - Unbound on custom port, ADH on default 53 or the other way around
B - Unbound on default port 53, ADH on custom port
but I am begining to think there is another variable if we know option A (for me so that's one user) makes Dynamic DNS work fine.
Hi,
another solution could be to create a VLAN only to bind unbound to it with Port 53. Then unbound will be available under localhost an that VLAN. And AdGuardHome can also be running on Port 53 on the other interfaces. But this can only be done by editing the yaml file and using the bind-hosts in the dns section. This is explained unter: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file (https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file)
I have a setup like this, and bound the AdGuardHome only to one interface and added rules to the different interfaces to be able to reach it.
KH
Easiest solution (probably):
1. Enter some DNS servers under System\Settings\General\DNS Servers
2. Tick "Do not use the local DNS service as a nameserver for this system"
3. Now opnsense itself will use the configured ones. Your DHCP clients will still use the DNS server distributed by DHCP, i.e. UnBound/dnsmasq/AdGuardHome/...
(edit: so mostly what cookiemonster already said _but_ entering DNS servers for opnsense upstream use)
Update: Sorry it's been a good while before getting back.
But I finally switched up the order to AdGuard so now it's Unbound > AdGuard. And everything works like it's suppose to, since Unbound can start resolving, no startup issues are happening after a reboot which is great.
Only thing that sucks is on AdGuard the queries only show 127.0.0.1, ::1, and the Fe80 IPv6 addresses. Instead of the actual client name (hostname). Is there a way around this? Some setting within OPNsense?
Then you port forward is weird, screenshot please
Presumably it is simply because AdGuard is upstream from unbound in their setup, and therefore all DNS requests received by AdGuard come from unbound (ie localhost)
Indeed, I'm using Unbound for local and portforward LAN directly to AdGuard
Quote from: FormBurden on December 18, 2021, 09:01:44 PM
Only thing that sucks is on AdGuard the queries only show 127.0.0.1, ::1, and the Fe80 IPv6 addresses. Instead of the actual client name (hostname). Is there a way around this? Some setting within OPNsense?
You set the IP for Adguard DNS in your DHCP DNS settings.
I ended up fixing it. Had some wrong settings in the upstream DNS server on AdGuard that wasn't pointed to my Unbound.