Hi,
i want to have Unbound as only DNS resolver on OPNSense.
have a fresh install on Sophos SG-105.
My Settings are:
- "System: Settings: General"
Prefer IPv4 over IPv6 - On
No DNS Servers
Allow DNS server list to be overridden by DHCP/PPP on WAN - Off
Services: Unbound DNS: General
default
No Forward DNS Server
My Problem is, no DNS resolution on LAN Interface with this Settings.
Calling drill with different DNS Server set, DNS working.
Any Idea?
If you don't allow recursion, you will only receive responses for DNS records that Unbound is authoritative for - i.e. local records. https://umbrella.cisco.com/blog/what-is-the-difference-between-authoritative-and-recursive-dns-nameservers
If you want to make sure all queries go through Unbound, configure the upstream resolvers you want it to use and create a firewall rule to deny 53 TCP and UDP from your LAN subnet.
Bart...
thanks for reply, but how to allow recursion?
Configure upstream DNS servers to recurse to: System: Settings: General, DNS servers
Oh, i see, but im trying to avoid this.
There is no other way?
I am not quite sure why Unbound will not permit recursive queries without a forwarder configured. Since I do not run Unbound I cannot promise that I will find the time to perform a test installation.
In the meantime you can of course run BIND. If you want to keep the DHCP-Unbound integration of OPNsense, continue to use Unbound for your clients, install the BIND plugin, configure e.g. BIND on 127.0.0.1:53530 as a forwarder for Unbound.
OK, so I'll bite ;) I have this lab system, anyway. Unbound only DNS service running. I changed
System > Settings > General
Service > Unbound > Query forwarding
See screenshots for details. Recursive queries from internal clients are resolved without using a forwarder and replies are sent.
I then activated various logging actions - see third screenshot, please. You can watch Unbound recurse on its own starting at the DNS root servers when I ask for e.g. staging.bsky.app starting with a clean cache:
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10294"] [27811:0] info: 172.31.0.128 staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10295"] [27811:0] info: resolving staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10296"] [27811:0] info: response for staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10297"] [27811:0] info: reply from <.> 2001:dc3::35#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10298"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10299"] [27811:0] info: response for staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10300"] [27811:0] info: reply from <app.> 216.239.34.105#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10301"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10302"] [27811:0] info: resolving ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10303"] [27811:0] info: resolving ns-1425.awsdns-50.org. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10304"] [27811:0] info: resolving ns-1425.awsdns-50.org. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10305"] [27811:0] info: resolving ns-2001.awsdns-58.co.uk. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10306"] [27811:0] info: resolving ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10307"] [27811:0] info: resolving ns-757.awsdns-30.net. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10308"] [27811:0] info: response for ns-1425.awsdns-50.org. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10309"] [27811:0] info: reply from <org.> 199.249.112.1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10310"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10311"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10312"] [27811:0] info: reply from <uk.> 213.248.216.1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10313"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10314"] [27811:0] info: response for ns-757.awsdns-30.net. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10315"] [27811:0] info: reply from <net.> 2001:503:d414::30#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10316"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10317"] [27811:0] info: response for ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10318"] [27811:0] info: reply from <net.> 2001:503:d414::30#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10319"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10320"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10321"] [27811:0] info: reply from <uk.> 2401:fd80:404::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10322"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10323"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10324"] [27811:0] info: reply from <awsdns-58.co.uk.> 205.251.197.253#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10325"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10326"] [27811:0] info: response for ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10327"] [27811:0] info: reply from <awsdns-30.net.> 205.251.197.94#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10328"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10329"] [27811:0] info: response for ns-757.awsdns-30.net. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10330"] [27811:0] info: reply from <awsdns-30.net.> 205.251.193.223#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10331"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10332"] [27811:0] info: response for ns-1425.awsdns-50.org. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10333"] [27811:0] info: reply from <awsdns-50.org.> 2600:9000:5302:f400::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10334"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10335"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10336"] [27811:0] info: reply from <awsdns-58.co.uk.> 2600:9000:5301:7a00::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10337"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10338"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10339"] [27811:0] info: reply from <awsdns-58.co.uk.> 205.251.193.122#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10340"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10341"] [27811:0] info: response for ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10342"] [27811:0] info: reply from <awsdns-30.net.> 2600:9000:5301:df00::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10343"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10344"] [27811:0] info: response for staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10345"] [27811:0] info: reply from <bsky.app.> 205.251.194.245#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10346"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10347"] [27811:0] info: 172.31.0.128 staging.bsky.app. A IN NOERROR 0.234521 0 93
So, recursive queries with Unbound do work as expected. No need to configure any forwarding DNS server.
...was my impression, too, after reading this here
https://docs.pi-hole.net/guides/dns/unbound/
Now three and a half hours later returning to my desk, name resolution does not work. Unbound refuses to perform recursive queries.
WTH? :o
I definitely don't have the time to debug this right now, as I wrote I am running BIND everywhere. I tested with the mentioned combination of Unbound and BIND and that seems to work as expected.
Something about the OPNsense specific Unbound configuration seems to be weird.
Oh boy, got it now :-)
Unfortunately, changed too many factors as same Time, so i can't say what caused this behaviour.
Changes are:
Replaced Fritzbox against Draytek Vigor 165 as Modem
Disabled IPv6 on Lan and Wan Interfaces
Disabled IPv6 Firewall Rule under "Firewall: Rules: LAN"
Set "Prefer to use IPv4 even if IPv6 is available" under "System: Settings: General"
IMHO it was the Firewall Rule.
Thanks for Support.
Well, this works "out of the box" and definitely does not need any DNS servers configured for the system, or forwarders in Unbound
Firewall has logs, use them. Disabling IPv6 does not do any good, bad idea in general.