Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: openminded on December 11, 2024, 06:25:03 PM

Title: DNS over TLS => no DNS resolving at all (with Unbound), why?
Post by: openminded on December 11, 2024, 06:25:03 PM
hello,

I'm currently using OPNsense 24.7.10_2 with Unbound. My opnsense router is behind another router. My problem is I cannot have DNS over TLS.

I have followed this how-to: https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/

When I configure DoT servers (first one is 1.1.1.1) in "Services: Unbound DNS: DNS over TLS" (with " Use System Nameservers" unchecked, and no DNS servers at all in "System: Settings: General"), I have no DNS resolution at all.

If I go to "Interfaces: Diagnostics: DNS Lookup" and check for example.com with 1.1.1.1 server, it's ok (A   example.com. 2549 IN A 93.184.215.14   1.1.1.1   3 msec). With no specified DNS server I have an error message "Error: error sending query: No (valid) nameservers defined in the resolver". Which is not a surprise.

If I put DNS servers in "System: Settings: General", it's ok (I have DNS resolution) but in this case I have no DNS over TLS.

Could someone please help me debugging this ?
Title: Re: DNS over TLS => no DNS resolving at all (with Unbound), why?
Post by: openminded on January 22, 2025, 05:37:33 PM
I reinstalled opnsense and followed same instructions.
At first, I had no DNS resolution, but after a few dozen minutes, it worked. I don't know why it took so long.
Title: Re: DNS over TLS => no DNS resolving at all (with Unbound), why?
Post by: newsense on January 23, 2025, 02:49:15 AM
Any form of secure communication requires accurate time on the machine with a maximum of +-5 minutes deviation accepted.

Your description fits the case where the time on the device is off, and after a few minutes of waiting whenever NTPD or Chrony were able to sync the time DoT started working.

Whenever in doubt check the time with this command:

Code Select
date
And set the time with this command for YearMonthDayHoursMinutes.Seconds:

Code Select
date yyMMddHHmm.ss
Title: Re: DNS over TLS => no DNS resolving at all (with Unbound), why?
Post by: charles.adams on January 28, 2025, 03:19:46 AM
Quote from: newsense on January 23, 2025, 02:49:15 AMAny form of secure communication requires accurate time on the machine with a maximum of +-5 minutes deviation accepted.

Your description fits the case where the time on the device is off, and after a few minutes of waiting whenever NTPD or Chrony were able to sync the time DoT started working.

Whenever in doubt check the time with this command:

Code Select
date
And set the time with this command for YearMonthDayHoursMinutes.Seconds:

Code Select
date yyMMddHHmm.ss

So I think I also have a time syncing issue and I wanted to find out where these commands should be entered to see if the time is off?

Should this be done in a local terminal via the serial port or is there a terminal access in the WebGUI that I'm missing?
Title: Re: DNS over TLS => no DNS resolving at all (with Unbound), why?
Post by: EricPerl on January 28, 2025, 03:46:21 AM
The current date/time is actually displayed in the dashboard, in system information.

The commands are used in a physical terminal on a bare metal install, but virtualized installs offer a terminal too.
In either case, there's ssh access as well.
Text only | Text with Images