I was troubleshooting some poor DNS performance this morning and I came across a number of instances of the following message in the logs:
> error: SERVFAIL <[redacted]. HTTPS IN>: all servers for this domain failed, at zone [redacted]. upstream server timeout
Does the query type "HTTPS IN" indicate that DNS over HTTPS is in use? I haven't configured it, and I'm expecting Unbound to perform recursive lookups.
I'm currently on version 24.1.10_8 of OPNSense, with Unbound at version 1.20.0_1.
So no, it looks like I'm just out of date on my knowledge of DNS records. Looks like this became a proposed standard, alongside SVCB records as of November 2023 (https://datatracker.ietf.org/doc/rfc9460/)?
You're almost two major versions behind. 25.1.RC1 lands next week and on the 29th 25.1 will be generally available.
If that FW is directly on the internet worrying about secure DNS wouldn't be the first thing to be concerned about - when every two-three weeks new security and / or reliability updates are available yet you don't deem important enough to install.
A fully patched OPNsense with the default configuration will always be more secure than a 7+ months old one with a random hardening thing applied here or there.
Quote from: newsense on January 20, 2025, 04:06:03 AMYou're almost two major versions behind. 25.1.RC1 lands next week and on the 29th 25.1 will be generally available.
If that FW is directly on the internet worrying about secure DNS wouldn't be the first thing to be concerned about - when every two-three weeks new security and / or reliability updates are available yet you don't deem important enough to install.
A fully patched OPNsense with the default configuration will always be more secure than a 7+ months old one with a random hardening thing applied here or there.
I am new to OPNsense and have a question regarding updating. I read above there is a new 25.1.RC1 coming soon, will I be able to upgrade to this using the update feature from the gui, or does going from 24 to 25 require a complete re install. I ask as am going to be making some changes and I don't want to have to do them all over again if I have to do a new install. Thanks, and I do not mean to derail this thread, its just I see the new update mentioned above.
Start by applying the upgrades available from the GUI. The first one should bring you to 24.7 and the second one to 24.7.12 - which is where you need to be in order to get on 25.1 next week.
Depending of the speed of your rig, from the moment the machine reboots for 24.7 it may take 5-15 minutes before it is back up, so if you don't have a monitor or serial connection to it just wait for the web GUI to become available again.
If you have Crowdsec running it is best to stop and disable it prior to the upgrade to make sure the process completes as expected.
Once on 24.7.12 you can stay on it until next week, then go for 25.1 once it becomes available.