OPNsense Forum

Hi,

when trying to resolve http://marlinfw.org/ i only get a timeout on all clients. I'm using a PiHole and unbound as upstream. DNSmasq is running on port 53 to redirect the dns trafic to pihole.
Tried several other addresses and all i've tested are working fine.
Also tried to flush the dns cache on my windows machine and pihole to see if "new" request are being resolved and i get the ips. Only http://marlinfw.org/ is not resolving and nslookup /dig getting timeout error.

Trying to resolve it with google dns is working. So i guess it has something to do with my unbound install/config.

Running OPNsense 24.7_9 and also tried with 24.1

All unbound settings should be default, except the port is set to 5353

unbound-control lookup for marlinfw.org:
root@OPNsense:~ # unbound-control -c /var/unbound/unbound.conf lookup marlinfw.org
The following name servers are used for lookup of marlinfw.org.
;rrset 982 5 0 2 0
marlinfw.org.   982     IN      NS      ns4.linode.com.
marlinfw.org.   982     IN      NS      ns5.linode.com.
marlinfw.org.   982     IN      NS      ns3.linode.com.
marlinfw.org.   982     IN      NS      ns1.linode.com.
marlinfw.org.   982     IN      NS      ns2.linode.com.
;rrset 83844 1 0 5 0
ns2.linode.com. 83844   IN      A       \# 0
;rrset 83844 1 0 5 0
ns1.linode.com. 83844   IN      A       \# 0
;rrset 83844 1 0 5 0
ns3.linode.com. 83844   IN      A       \# 0
;rrset 83844 1 0 5 0
ns5.linode.com. 83844   IN      A       \# 0
;rrset 83844 1 0 5 0
ns4.linode.com. 83844   IN      A       \# 0
Delegation with 5 names, of which 5 can be examined to query further addresses.
It provides 0 IP addresses.


unbound-control lookup for google.de:
root@OPNsense:~ # unbound-control -c /var/unbound/unbound.conf lookup google.de
The following name servers are used for lookup of google.de.
;rrset 82890 6 0 2 0
de.     82890   IN      NS      a.nic.de.
de.     82890   IN      NS      f.nic.de.
de.     82890   IN      NS      l.de.net.
de.     82890   IN      NS      n.de.net.
de.     82890   IN      NS      s.de.net.
de.     82890   IN      NS      z.nic.de.
;rrset 82890 1 1 2 0
de.     82890   IN      DS      26755 8 2 F341357809A5954311CCB82ADE114C6C1D724A75C0395137AA3978035425E78D
de.     82890   IN      RRSIG   DS 8 1 86400 20240817050000 20240804040000 20038 . CLavb6y1T+jwq0ba6f9EiV3tfGkHa6kMgZapGx+OWuaFQZ3h28kR1gWySSTf4p12yWGmo0rszzZORXHqhW0Hk/BBqebWvv8KyU+1htARoAAs1cs6/IPL9GvkLih+daATetOYm+v2hJqq0szvzLG5wYys6u3aUwWpapktBX6FD1D/bVo9L0Fl/vljD9+S3YnGtfmnAGTlIdytX0lc1o0d2JfjCuWG8Zvnd879OJWDG8ZeDnvgJjq6jyUd4b9fu+CZ8nzOBticT349IKHHp2UtO/perhV/taByTQ50ySxB8VAq8GBFPptqCa9Tv8mWnI13SU7TwQjyVSNDXAT+mcgnsw== ;{id = 20038}
;rrset 82890 1 0 1 0
z.nic.de.       82890   IN      A       194.246.96.1
;rrset 82890 1 0 1 0
z.nic.de.       82890   IN      AAAA    2a02:568:fe02::de
;rrset 82890 1 0 1 0
s.de.net.       82890   IN      A       195.243.137.26
;rrset 82890 1 0 1 0
s.de.net.       82890   IN      AAAA    2003:8:14::53
;rrset 82890 1 0 1 0
n.de.net.       82890   IN      A       194.146.107.6
;rrset 82890 1 0 1 0
n.de.net.       82890   IN      AAAA    2001:67c:1011:1::53
;rrset 82890 1 0 1 0
l.de.net.       82890   IN      A       77.67.63.105
;rrset 82890 1 0 1 0
l.de.net.       82890   IN      AAAA    2001:668:1f:11::105
;rrset 82890 1 0 1 0
f.nic.de.       82890   IN      A       81.91.164.5
;rrset 82890 1 0 1 0
f.nic.de.       82890   IN      AAAA    2a02:568:0:2::53
;rrset 82890 1 0 1 0
a.nic.de.       82890   IN      A       194.0.0.53
;rrset 82890 1 0 1 0
a.nic.de.       82890   IN      AAAA    2001:678:2::53
Delegation with 6 names, of which 0 can be examined to query further addresses.
It provides 12 IP addresses.
2001:678:2::53          not in infra cache.
194.0.0.53              not in infra cache.
2a02:568:0:2::53        not in infra cache.
81.91.164.5             not in infra cache.
2001:668:1f:11::105     not in infra cache.
77.67.63.105            not in infra cache.
2001:67c:1011:1::53     not in infra cache.
194.146.107.6           not in infra cache.
2003:8:14::53           not in infra cache.
195.243.137.26          not in infra cache.
2a02:568:fe02::de       not in infra cache.
194.246.96.1            not in infra cache.


Anyone a idea where to look for errors or knnow what the problem could be?

Okay, after some more testing and observing it seams that no dns querys are resolved from linode.com

Anyone a idea?

I don't understand why people choose to have such complicated setups. Why the pihole? Are the blacklists in Unbound inadequate?

That aside...use tcpdump to inspect the DNS traffic. Can you see the query request leaving OPNSense?

I am not sure if it is correct, but this is the output of tcpdump -n -i ixl3 port 53

14:11:29.902804 IP 91.65.53.87.46906 > 92.123.95.3.53: 29168% [1au] A? marlinfw.org. (41)
14:11:36.289314 IP 91.65.53.87.10318 > 192.41.162.30.53: 2121% [1au] A? linode.com. (39)
14:11:36.314358 IP 192.41.162.30.53 > 91.65.53.87.10318: 2121- 0/10/1 (527)
14:11:36.314482 IP 91.65.53.87.55961 > 23.61.199.65.53: 29293% [1au] A? ns1.linode.com. (43)
14:11:36.327879 IP 23.61.199.65.53 > 91.65.53.87.55961: 29293*- 1/0/1 A 92.123.94.2 (59)
14:11:36.328080 IP 91.65.53.87.50954 > 192.48.79.30.53: 6147% [1au] A? linode.com. (39)
14:11:36.354028 IP 192.48.79.30.53 > 91.65.53.87.50954: 6147- 0/10/1 (527)
14:11:36.354154 IP 91.65.53.87.40347 > 184.26.160.65.53: 5756% [1au] A? ns5.linode.com. (43)
14:11:36.371272 IP 184.26.160.65.53 > 91.65.53.87.40347: 5756*- 1/0/1 A 92.123.95.2 (59)
14:11:36.371622 IP 91.65.53.87.30193 > 192.35.51.30.53: 11901% [1au] A? linode.com. (39)
14:11:36.392405 IP 192.35.51.30.53 > 91.65.53.87.30193: 11901- 0/10/1 (527)
14:11:36.392518 IP 91.65.53.87.56389 > 184.26.160.65.53: 1962% [1au] A? ns2.linode.com. (43)
14:11:36.408115 IP 184.26.160.65.53 > 91.65.53.87.56389: 1962*- 1/0/1 A 92.123.94.3 (59)
14:11:36.408298 IP 91.65.53.87.63382 > 192.41.162.30.53: 5065% [1au] A? linode.com. (39)
14:11:36.433548 IP 192.41.162.30.53 > 91.65.53.87.63382: 5065- 0/10/1 (527)
14:11:36.433657 IP 91.65.53.87.62422 > 72.246.46.64.53: 38319% [1au] A? ns3.linode.com. (43)
14:11:36.454564 IP 72.246.46.64.53 > 91.65.53.87.62422: 38319*- 1/0/1 A 92.123.95.3 (59)
14:11:36.454791 IP 91.65.53.87.15230 > 192.35.51.30.53: 56183% [1au] A? linode.com. (39)
14:11:36.474352 IP 192.35.51.30.53 > 91.65.53.87.15230: 56183- 0/10/1 (527)
14:11:36.474464 IP 91.65.53.87.25905 > 72.246.46.64.53: 281% [1au] A? ns4.linode.com. (43)
14:11:36.491601 IP 72.246.46.64.53 > 91.65.53.87.25905: 281*- 1/0/1 A 92.123.95.4 (59)
14:11:40.228193 IP 91.65.53.87.4617 > 92.123.94.3.53: 50786% [1au] A? www.marlinfw.org. (45)
14:11:52.319485 IP 91.65.53.87.30414 > 92.123.95.2.53: 13232% [1au] A? www.marlinfw.org. (45)

If i try the same with google.de i get:

14:11:58.221426 IP 91.65.53.87.59839 > 195.243.137.26.53: 39616% [1au] A? google.de. (38)
14:11:58.236756 IP 195.243.137.26.53 > 91.65.53.87.59839: 39616- 0/8/1 (619)
14:11:58.236859 IP 91.65.53.87.9533 > 216.239.34.10.53: 11101% [1au] A? www.google.de. (42)
14:11:58.270587 IP 216.239.34.10.53 > 91.65.53.87.9533: 11101*- 1/0/1 A 142.251.209.131 (58)
14:11:58.275433 IP 91.65.53.87.45940 > 216.239.32.10.53: 14432% [1au] AAAA? www.google.de. (42)
14:11:58.297519 IP 216.239.32.10.53 > 91.65.53.87.45940: 14432*- 1/0/1 AAAA 2a00:1450:4005:801::2003 (70)


so i guess the request is leaving opnsense but is not getting the response?

Hi @Aergernis,

Were you able to solve this? I seem to have the exact same problem. My problem is lookop of alpinelinux.org, but that also seems to be linodes servers for lookup. I can also confirm I have the same problem as you with marlinfw.org also.

unbound-control -c unbound.conf lookup alpinelinux.org
The following name servers are used for lookup of alpinelinux.org.
;rrset 2039 5 0 2 0
alpinelinux.org. 2039 IN NS ns2.linode.com.
alpinelinux.org. 2039 IN NS ns1.linode.com.
alpinelinux.org. 2039 IN NS ns4.linode.com.
alpinelinux.org. 2039 IN NS ns3.linode.com.
alpinelinux.org. 2039 IN NS ns5.linode.com.

My setup is OPNsense 24.7.6 with Unbound - no piHole.

My workaround for now is to add a Custom Query forwarding to 8.8.8.8 for the domains in question. I could of course forward all queries to 8.8.8.8, but that defeats the purpose of using OPNsense / Unbound in the first place

I suspect that it is linode.com that are blocking your requests for some reason. I'd try to contact them.

Resolution with Unbound and requests directed at their nameservers do work for me:

root@opnsense:~ # drill @127.0.0.1 marlinfw.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 65405
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; marlinfw.org. IN A

;; ANSWER SECTION:
marlinfw.org. 86341 IN A 185.199.109.153
marlinfw.org. 86341 IN A 185.199.110.153
marlinfw.org. 86341 IN A 185.199.111.153
marlinfw.org. 86341 IN A 185.199.108.153



root@opnsense:~ # drill @ns1.linode.com marlinfw.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 17804
;; flags: qr aa rd ; QUERY: 1, ANSWER: 4, AUTHORITY: 5, ADDITIONAL: 10
;; QUESTION SECTION:
;; marlinfw.org. IN A

;; ANSWER SECTION:
marlinfw.org. 86400 IN A 185.199.111.153
marlinfw.org. 86400 IN A 185.199.110.153
marlinfw.org. 86400 IN A 185.199.109.153
marlinfw.org. 86400 IN A 185.199.108.153

;; AUTHORITY SECTION:
marlinfw.org. 86400 IN NS ns4.linode.com.
marlinfw.org. 86400 IN NS ns2.linode.com.
marlinfw.org. 86400 IN NS ns1.linode.com.
marlinfw.org. 86400 IN NS ns3.linode.com.
marlinfw.org. 86400 IN NS ns5.linode.com.