Text only | Text with Images

OPNsense Forum

English Forums => 25.7 Series => Topic started by: ajohn on July 26, 2025, 09:49:45 AM

Title: [25.7] unbound as recursive dns server doesn't seem to work
Post by: ajohn on July 26, 2025, 09:49:45 AM
UPDATE: never mind, network configuration error (upstream firewall still had DNS redirects)
Only valid comment is that the root.hints (https://www.iana.org/domains/root/files) could use an update. Hints delivered with 25.7 are from 2023.

I'm very excited about installing the new OPNsense 25.7 on my new firewall, so I decided to start from scratch. I think I have found a bug.

After a clean install I run the setup wizard, disable the Override DNS setting and DO NOT configure a DNS server. I am expecting unbound to go out and contact root servers configured in /var/unbound/root.hints but instead unbound is throwing a SERVFAIL:

root@opntest:~ # drill . ns
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 43209
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; .    IN      NS

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 3 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Jul 26 09:33:57 2025
;; MSG SIZE  rcvd: 17

What am I missing?

Btw; unrelated, the root.hints (https://www.iana.org/domains/root/files) could use an update. Hints delivered with 25.7 are from 2023.
Title: Re: [25.7] unbound as recursive dns server doesn't seem to work
Post by: sopex8260 on July 26, 2025, 12:42:40 PM
Great for fixing it.

Have the authoritative name servers change from 2023?

Don't think so.
Title: Re: [25.7] unbound as recursive dns server doesn't seem to work
Post by: ajohn on July 26, 2025, 04:16:56 PM
Didn't check for changes but the recommendation is to update root hints every 6 months.
Title: Re: [25.7] unbound as recursive dns server doesn't seem to work
Post by: franco on July 26, 2025, 08:19:35 PM
If it weren't so simple...

Code Select
% curl -o root.min.hints https://www.internic.net/domain/named.root
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3310  100  3310    0     0   5483      0 --:--:-- --:--:-- --:--:--  5480g
% git diff
diff --git a/src/opnsense/data/unbound/root.min.hints b/src/opnsense/data/unbound/root.min.hints
index 8b8a3b119..078d8c030 100644
--- a/src/opnsense/data/unbound/root.min.hints
+++ b/src/opnsense/data/unbound/root.min.hints
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ;
-;       last update:     December 20, 2023
-;       related version of root zone:     2023122001
+;       last update:     July 24, 2025
+;       related version of root zone:     2025072401
 ;
 ; FORMERLY NS.INTERNIC.NET
 ;

The only thing that changes is the date in the comment.  That's exactly why we don't bother updating it.
Title: Re: [25.7] unbound as recursive dns server doesn't seem to work
Post by: senseOPN on July 26, 2025, 08:44:02 PM
Better update the subject line too!

Others may be discouraged to update reading the subject alone.
Text only | Text with Images