Hi,
I'm using my configuration opnsense 25.7.6/unbound/DynDSN/HAproxy since several years, no change at all. Even no update was done at all the last 2 days. Yesterday I saw, no IPv4 address is resolved any more using nslookup, only IPv6 was reported. Looking at strato DynDNS, A-record and AAAA-record is seen. Also if I do DNS resolve for example against 8.8.8.8 both records are available. If I use DNSmasq for testing, also both records are available and HAproxy is working.
Any idea, why unbound stopped reporting A-record and does only report AAAA-record? As I mentioned, no config change was done the last days.
Maybe an additional information: could it be caused by a change at internet provider from "real dual stack" to "DS lite"? I just found out, Strato is showing a different IP compared to whatismyIP -> I suppose such a change.
That might be influential, but the question is: Do you see only IPv6 addresses, also for normal DNS entries like www.google.com or only for your own names?
If your ISP switched to DS-Lite, you will get a "special" IPv4 which is in turn NATed to a real routeable IPv4. Depending on how your DynDNS determines is IP, it may get the real IP or the CG-NAT one. For DynDNS purposes, neither of which helps, because you cannot open ports on either of them.
That does not explain why you see only IPv6 addresses, though. You should try if you have IPv4 and IPv6 access to the internet at all. However, both IP types are being resolved over any connection type, so this seems very strange.
Tested following conditions:
unbound: resolve of google.de -> both records found
unbound: resolve of my own domain -> only AAAA-record (but at Strato A-record and AAAA-record can be seen)
DNSmasq: resolve of google.de -> both records found
DNSmasq: resolve of my own domain -> both records found (same as at Strato can be seen)
IPv4 I only get the special CGN-IP, not the real IP.
How are you testing?
Patrick is right to ask that, because you can have OpnSense itself use a different server than the one that is used for your LAN clients.
Ruling out the obvious: I assume you have not checked the "Enable AAAA-only mode" in Unbound?
If "your own domain" is a local domain, not an "official" domain, it is served locally. If it were a "real" DNS domain that is being served by some internet DNS server, then Unbound and DNSmasq should resolve the same (which they do for other "real" domains).
Then, the question is what type of record you want to resolve. It can be either of:
1. A DHCP reservation entry with a DNS name
2. A dynamically obtained DHCP lease which carries a DNS name
3. A local Unbound override
The different settings in Unbound on how / if to handle DHCP reservations come into play here. Also, the repective DHCP server can be made to register the names with or without a DNS domain suffix. Unbound also has the "DHCP Domain Override" setting.
Also, when you use Unbound, you can delegate domains to another server via "Services: Unbound DNS: Query Forwarding". The current default setup from the documentation does this in order to have Unbound resolve global names only and DNSmasq for local names.
tested with "nslookup" directly in opnsense_shell as well as with a LAN client. Always same result. At the moment, because of using HAproxy in IPv4 mode, I need to resolve IPv4 address. With DNSmasq all is working as expected. I will try to get the old "real dual stack" configuration again, but if this fails, I will need to switch to IPv6 at least for the part "Internet <-> HAproxy" and will then redirect into local IPv4 network.
And of course "Enable AAAA-only mode" is not checked in Unbound.
Settings in Unbound:
General is checked:
- Enable DNSSEC Support
- Register ISC DHCP4 Leases
- Register DHCP Static Mappings
- TXT Comment Support
- Flush DNS Cache during reload (new, tested today)
Overrides:
nothing
Advanced is checked:
- Aggressive NSEC
Query forwarding is checked:
- use system nameservers: 208.67.222.222, 208.67.220.220, 8.8.8.8, 8.8.4.4, 4.2.2.1, 4.2.2.2
DNS over TLS is checked:
- use system nameservers: 208.67.222.222, 208.67.220.220, 8.8.8.8, 8.8.4.4, 4.2.2.1, 4.2.2.2
Are you explicitly asking for the record types?
Like
drill google.de a
drill google.de aaaa
?
No I'm wondering why I don't get IPv4 and IPv6 with Unbound but I get it with DNSmasq. If the reason is DSlite, I'm fine -> not a missconfiguration. But if there is a reason within my config, I want to fix it ;-)
Please check like I outlined above.
Problem is gone again after migration at my internet provider back to real dual stack configuration. So it seems there was a topic from Unbound with DSlite-stack.