Not sure but seems as though my first post did not go through. If I double post I apologize but I am finding no evidence the prior post happened.
I have been having this problem for months now. I have tried entirely rebuilding the Unbound DNS service setup, disabling every feature I can such as DNSBL, DNSSEC, etc. I have used DNS servers of 1.0.0.1, 1.1.1.1, 8.8.8.8, 84.200.69.80, 149.112.112.112 and a few others. I have also tried allowing my ISP DHCP assigned DNS to override. The problem persists.
For example, I can resolve google.com via a dig command but not opnsense.org. I see the query in the DNS logs but no reply comes back to client. Yet it is instantaneous for google.com.
If I directly query the above dns servers from clients bypassing the firewall dns but passing through the firewall all those domains that wont resolve using unbound dns resolve fine to the very same servers it should be using.
Additionally internal resolution for local hosts works fine.
From the firewall command line the behavior is the same. google.com resolves, opnsense.org will not.
I have also disabled any kind of IDS/IPS.
At this point I am considering, as much as I dislike it, simply using the external DNS servers for my clients as it sure seems like something is broken about Unbound DNS.
Should be noted its not just google.com and opnsense.org. There are tons of domains it refuses to resolve.
It makes no sense to me though why it would work for google.com but not opnsense.org and the DNS logs look as expected but no reply comes back for these "failing domains".
OpnSense: 22.1.10_4
And now it is worse. If I change the list of dns servers in the system settings I suddenly see massive amounts of port 53 dns traffic to hundreds of random servers from around the planet. Most so far cant resolve anything including google and I lose access going directly to the DNS servers in the system settings. Why adding an ip to the system settings would suddenly start blocking (but with no firewall log) that IP makes no sense. Also why would it start using DNS servers that are not in the list in the system?
Example:
dig @8.8.8.8 google.com
works
change system settings to use 8.8.8.8
dig @8.8.8.8 google.com
no longer works.
Then a sudden spew of like 3000 port 53 allowed access attempts to hundreds of different IPs not a single one of them being the DNS servers I added nor a single one test capable of resolving any domains but also access is allowed unlike the dns servers I added.
Some baseline is needed.
- Show systems > settings > general . DNS settings there, what are they?
- Services > UnboundDNS > what have you setup?
- Services > DHCPv4 for the relevant interface, there are DNS settings there. Also for DHCPv6 .
And finally, clients can have their own bypass of your DNS settings in OPN unless you have explicit rules to prevent it.
You need to be clear on your setup of OPN and clients.
Thank you for the response.
Quote from: cookiemonster on January 12, 2023, 11:15:08 PM
Some baseline is needed.
- Show systems > settings > general . DNS settings there, what are they?
Prefer IPv4 over IPV6: on
DNS Servers: 8.8.8.8, 8.8.4.4
*Nothing else set.
Quote from: cookiemonster on January 12, 2023, 11:15:08 PM
- Services > UnboundDNS > what have you setup?
Network Interfaces: LAN, WAP
DNSSEC: on
DHCP Registration: on
DHCP Static Mappings: on
DNS Cache: on
Local Zone Type: Transparent
Quote from: cookiemonster on January 12, 2023, 11:15:08 PM
- Services > DHCPv4 for the relevant interface, there are DNS settings there. Also for DHCPv6 .
DHCPv6 is not used.
DHCPv4: Only things set here are your typical network range etc. While I have tried DNS servers in here to override it is currently not set.
Quote from: cookiemonster on January 12, 2023, 11:15:08 PM
And finally, clients can have their own bypass of your DNS settings in OPN unless you have explicit rules to prevent it.
You need to be clear on your setup of OPN and clients.
Yah this is something that is seriously bothering me. Any DNS servers I put in System -> Settings -> General are "blocked". By blocked I mean if I try to do a dig/host from a client I see the firewall log entry saying its allowed to go out but the query hangs then fails. If I try to query a DNS server (eg: 1.1.1.1) that is NOT in that list it works fine. At no time can I find a single "block" entry in the firewall logs. I have absolutely no manually entered rules that would block this nor do I see any autogenerated ones.
So a bit of an update.
1)The oddity of dns servers in the settings not being directly reachable by clients and yet those not in that list are persists. Still no logs other then the one showing the outgoing packet.
2)I am still seeing the mass number of port 53 outgoing queries. I realize these could all be ROOT servers but its looks very odd and so far, perhaps 7-10 I have checked are not listed as ROOT servers and actually do not respond to manual DNS queries. This seems really odd to me and concerning.
3)I did enable the DNS Cache flush and it did not seem to entirely fix the problem but some went away. opnsense.org continued to have problems.
4)This is the big one. In desperation and due to EOL I initiated a full upgrade to 22.7. #1 and #2 above persist though #2 does not appear to be nearly as noisy. #3 I no longer have DNS resolution issues. Everything is working including opnsense.org. Other than the cache flush prior to update and update I've not changed anything.
With these settings, no dns server set in Unbound and no dns server set in dhcpv4, and 8.8.8.8 and 8.8.4.4 as dns servers in general settings, then 8.8.8.8 and 8.8.4.4 are the dns servers given to your clients in LAN and WAP. OK.
No additional firewall rules to "catch rogues" means any client that respects what dhcp gave it, will use those two to resolve names.
I imagine then the problem needs investigating at the clients side. A pc will be easy with dig options to show additional information like trace, etc. For the rest, and even for those packets not being seeing on return, a packet capture is in order. It should additionally help track the "rogues" if there are any.