OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: Taomyn on September 12, 2019, 10:26:06 am
-
I was trying to add a host override to Unbound, and after saving then applying the setting the Unbound service dies. I've attached screenshots of the settings (showing the help text which I followed) and the log.
-
Just FYI:
To block DoH you need to return a NXDOMAIN, 0.0.0.0 is a valid reserved IP address and as such will not block DoH.
-
It will block it if the requester relies on the information coming back from the DNS server to give it the DoH server IPs - I believe this is the case for Firefox. And if that's the case getting that list and then blocking the IPs on the firewall will definitely block them.
No back to the issue I reported i.e. did I configure it incorrectly to cause the Unbound service to crash?
-
Try to remove the comment.
Nevertheless it will not stop Firefox as use-application-dns.net is just a canary domain as explained here https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Firefox will check if NXDOMAIN is returned.
You could use the unbound options field to add a local zone:
local-zone: "use-application-dns.net" static
This will return NXDOMAIN.
-
Thanks for the NXDOMAIN info - I'll switch to that after seeing if "no comment" fixes the override, but Firefox does use the A/AAAA record if returned so a value of 0.0.0.0 will flag it as not available.
-
Removing the comment fixed the service crashing, so thanks for that. However adding instead the line to the custom options made the service crash again, although this time without any error in the log that I could see. I've probably not entered it correctly alongside the other options I use.
Which reminds me to ask about the small note on that input box that states it will be removed in the future, and how I will be able to use the other options after that happens.
-
I think copying the quotes is the problem if your Unbound is crashing after adding the static zone.
Try typing it manually.
I have:
server:
local-zone: "use-application-dns.net." always_nxdomain
And it works, all queries to the domain return nxdomain.
-
I think copying the quotes is the problem if your Unbound is crashing after adding the static zone.
It wasn't the quotes, it was either the extra "." at the end or the use of "always_nxdomain" that did the trick, so thank-you.
So what will happen if as the help text says, the custom options field is removed in the future?
-
They said they will not remove it before most functions have their equivalent in the Web UI, which would mean there has to be an comprehensive Zone Management for Unbound before that happens.
I also use that field to define stub- and forward-zones and as a consequence domain-insecure to forward requests to other DNS servers and for split-DNS.