OPNsense Forum

I upgraded from opnsense 23.7.4 to 23.7.5 this week and started noticing a problem with unbound.

Some domains that are not in cache it does not resolve and the "Server Fail" error appears, but if I go to the "DNS Lookup" tool it resolves normally.

https://ibb.co/80zj5K6
https://ibb.co/8PL7krZ

What happens if you put 127.0.0.1 in the DNS Lookup tool?

What does your Unbound config look like?  The DNS settings under the general settings screen?

Have you turned on the serve fail reasons and logging for Unbound?  What do the logs show?

127.0.0.1 https://prnt.sc/dp3T_FzoZ80F


Before updating I had enabled DNSSEC, but I thought it could be causing the unbound problems and I disabled it, but to no avail.
unbound > general https://prnt.sc/aFNuu-geWof3


Settings > General https://prnt.sc/zzh6P6rZW730


Can you tell me where I activate these records?

I've already checked the unbound logs, but only device name information appears.
https://prnt.sc/9pU6oG45DGf_

I'd rather look at look at uploaded screenshots rather than clicking on some potential dodgy URLs

How can I attach images here?  When I click to attach I only get a <img> tag

prnt.sc links are from the Lightshot tool, but that's ok

Click on "Attachments and other options" below.

I can't attach them all in one post, I'll split them up.

Others here

.

Quote from: yduan on October 09, 2023, 07:27:25 PM
Others here

Network Interfaces - change to ALL and enable DNSSEC always

Quote from: yduan on October 09, 2023, 07:29:35 PM
.

Check if those devices actually use your DNS settings or they default to something else, either in the browser or system settings.


https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

Quote from: yduan on October 09, 2023, 07:25:53 PM
I can't attach them all in one post, I'll split them up.

I said to put 127.0.0.1 in the Server field, not the Host field.  The previous screens you posted didn't show a result from the local DNS server.

Quote from: yduan on October 09, 2023, 07:29:35 PM
.

You don't have to select every option.  Whatever level you select will automatically show all higher levels as well.

Quote from: newsense on October 09, 2023, 11:38:28 PM
Network Interfaces - change to ALL and enable DNSSEC always

Agreed on the interfaces.  I feel like there needs to be a pop up in the UI and/or putting the Interfaces selector behind the Advanced toggle.

I assume the DNSSEC recommendation is for general practice and not due to this issue?

Quote from: newsense on October 09, 2023, 11:45:49 PM
Check if those devices actually use your DNS settings or they default to something else, either in the browser or system settings.

https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

If they're seeing the domain show up in reporting, then the device should be using Unbound to resolve.

Quote from: newsense on October 09, 2023, 11:45:49 PM

Quote from: yduan on October 09, 2023, 07:29:35 PM
.

Check if those devices actually use your DNS settings or they default to something else, either in the browser or system settings.


https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

Yes, my devices are using local DNS, I have rules to force them to use only them.

DNSSEC enabled and enabled on all interfaces.

Quote from: CJ on October 10, 2023, 04:08:59 PM

Quote from: yduan on October 09, 2023, 07:25:53 PM
I can't attach them all in one post, I'll split them up.

I said to put 127.0.0.1 in the Server field, not the Host field.  The previous screens you posted didn't show a result from the local DNS server.

Ah, sorry, I got it wrong, here is the result: I tried to resolve the domain shop.proxmox.com, putting 127.0.0.1 as server.

Other domains that I access normally resolve successfully, such as google.com.

Quote from: yduan on October 12, 2023, 09:12:18 PM

Quote from: newsense on October 09, 2023, 11:45:49 PM

Quote from: yduan on October 09, 2023, 07:29:35 PM
.

Check if those devices actually use your DNS settings or they default to something else, either in the browser or system settings.


https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

Yes, my devices are using local DNS, I have rules to force them to use only them.

DNSSEC enabled and enabled on all interfaces.

Just to let you know, that setup won't stop DoH.  For example, Firefox uses Cloudflare as their default resolves but they have a specific subdomain which resolves to different IPs than their standard set.  Since it uses 443 the only way to stop it is block the domain and/or the IP.

Quote from: yduan on October 12, 2023, 09:15:49 PM
Ah, sorry, I got it wrong, here is the result: I tried to resolve the domain shop.proxmox.com, putting 127.0.0.1 as server.

Other domains that I access normally resolve successfully, such as google.com.

What shows in the Unbound logs and Reporting?  Do you have SERVFAIL logging turned on?

Any blocklists?