OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: Taomyn on September 12, 2019, 10:26:06 am

Title: Creating a Unbound host override breaks service
Post by: Taomyn on September 12, 2019, 10:26:06 am: I was trying to add a host override to Unbound, and after saving then applying the setting the Unbound service dies. I've attached screenshots of the settings (showing the help text which I followed) and the log.
Title: Re: Creating a Unbound host override breaks service
Post by: ruffy91 on September 12, 2019, 10:39:43 pm: Just FYI:
To block DoH you need to return a NXDOMAIN, 0.0.0.0 is a valid reserved IP address and as such will not block DoH.
Title: Re: Creating a Unbound host override breaks service
Post by: Taomyn on September 13, 2019, 07:37:24 am: It will block it if the requester relies on the information coming back from the DNS server to give it the DoH server IPs - I believe this is the case for Firefox. And if that's the case getting that list and then blocking the IPs on the firewall will definitely block them.

No back to the issue I reported i.e. did I configure it incorrectly to cause the Unbound service to crash?
Title: Re: Creating a Unbound host override breaks service
Post by: ruffy91 on September 13, 2019, 08:28:42 am: Try to remove the comment.

Nevertheless it will not stop Firefox as use-application-dns.net is just a canary domain as explained here https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Firefox will check if NXDOMAIN is returned.
You could use the unbound options field to add a local zone:

local-zone: "use-application-dns.net" static

This will return NXDOMAIN.
Title: Re: Creating a Unbound host override breaks service
Post by: Taomyn on September 13, 2019, 08:49:40 am: Thanks for the NXDOMAIN info - I'll switch to that after seeing if "no comment" fixes the override, but Firefox does use the A/AAAA record if returned so a value of 0.0.0.0 will flag it as not available.
Title: Re: Creating a Unbound host override breaks service
Post by: Taomyn on September 13, 2019, 09:14:08 am: Removing the comment fixed the service crashing, so thanks for that. However adding instead the line to the custom options made the service crash again, although this time without any error in the log that I could see. I've probably not entered it correctly alongside the other options I use.

Which reminds me to ask about the small note on that input box that states it will be removed in the future, and how I will be able to use the other options after that happens.
Title: Re: Creating a Unbound host override breaks service
Post by: ruffy91 on September 18, 2019, 09:38:44 am: I think copying the quotes is the problem if your Unbound is crashing after adding the static zone.
Try typing it manually.
I have:
Code: [Select]
server: local-zone: "use-application-dns.net." always_nxdomainAnd it works, all queries to the domain return nxdomain.
Title: Re: Creating a Unbound host override breaks service
Post by: Taomyn on September 18, 2019, 09:49:52 am: Quote from: ruffy91 on September 18, 2019, 09:38:44 am
I think copying the quotes is the problem if your Unbound is crashing after adding the static zone.

It wasn't the quotes, it was either the extra "." at the end or the use of "always_nxdomain" that did the trick, so thank-you.

So what will happen if as the help text says, the custom options field is removed in the future?
Title: Re: Creating a Unbound host override breaks service
Post by: ruffy91 on September 18, 2019, 11:19:57 am: They said they will not remove it before most functions have their equivalent in the Web UI, which would mean there has to be an comprehensive Zone Management for Unbound before that happens.

I also use that field to define stub- and forward-zones and as a consequence domain-insecure to forward requests to other DNS servers and for split-DNS.