OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: bringha on October 17, 2020, 11:08:15 am
-
Good morning,
I am on 20.7.3. and I am trying to get DNS over TLS working with unbound. Everything works fine as long as I use IPv4 forwarder addresses in the Services->Unbound TLS->Misc which I put eg in the form 9.9.9.9@853.
When I am adding an ipv6 address like eg 2a05:fc84::42@853 and I restart unbound, the ipv4 forward-addresses are still used/working properly, but my /var/log/resolver/resolver.log gets flooded with
Oct 17 10:54:33 OPNsense.zuhause.xx unbound[37717]: [37717:2] error: outgoing tcp: bind: Can't assign requested addressNo request to the ipv6 server is then sent indeed. Removing the address and restarting unbound make the error message disappear again.
My resulting /var/unbound/etc/dot.conf looks like
server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2a05:fc84::42@853
which looks correct to me
There has been an (pretty much) earlier thread on that error message and DoT
https://forum.opnsense.org/index.php?topic=12301.0 (https://forum.opnsense.org/index.php?topic=12301.0)
after which the DoT (GUI) functionality has been substantially expanded/refactored, however I use recommended forward addresses for my region.
ipv6 Gateway and Wan addresses are both LL. When I run unbound in debug mode, all queries which try to use
outgoing-interface: fe80::XXX:YYY:ZZZ:a21dcreate the error message above.
Has someone an idea what could be wrong here or how to debug this further?
Thanks a lot
Br br
-
I have the issue as well. It seems, that unbound cannot contact the DNS server via IPv6. If you increase unbound logging you will also see:
2020-11-12T11:29:03 unbound[94702] [94702:1] info: error sending query to auth server 2a02:2970:1002::18 port 853
2020-11-12T11:29:03 unbound[94702] [94702:1] error: outgoing tcp: bind: Can't assign requested address
2020-11-12T11:29:03 unbound[94702] [94702:1] debug: sending to target: <.> 2a02:2970:1002::18#853
I could make the error disappear, when turning off requesting a ipv6 prefix on my WAN. Then the WAN gets an IP and unbound is able to contact the servers. However then IPv6 in my network is not working anymore. I would guess, that unbound somewhat is not correctly attaching to the right IPv6s on the interfaces, when using prefix delegation. (In my case it is configured to attach to all interfaces.)
Seeing my interfaces, it also shows my LAN IPv4 + public IPv6 on my LAN interface and public IPv4 + LAN IPv6 on my WAN interface.
I would have thought to have all public IPs on my WAN and all LAN IPs on my LAN... Somehow it is mixed up?
-
Hi chris42,
Do you see also this?
https://forum.opnsense.org/index.php?topic=19746.0 (https://forum.opnsense.org/index.php?topic=19746.0)
Br br
-
Not that I know of. I have an unbound running for my local network, that is doing DoT now.
It seems to work with IPv6 even though I found the following:
- To properly announce the local lan DNS to clients via RA, I need to use the fe80:: IPv6 of my LAN interface. As radvd in opnsense is not able to handle Prefix changes. The fe80:: has to be specified in the radvd manual settings while RA is on "nicht verwaltet"
- Apparently the firewall only uses the primary IPv6 of my LAN interface. Having a target for DNS as "LAN Netzwerk" or "LAN Adresse" will not include fe80::. I needed to add a specific rule to allow DNS coming in.
- Unbound is not updating properly when the IPv6 changes and also not when opnsense is booting up. It seems to be connected to another issue: https://forum.opnsense.org/index.php?topic=20030.0
When the WAN interface has no global IPv6, the LAN won't have one either (although it already could have fe80:: ) and unbound will not bind to fe80::. Hence I need to relaunch the LAN interface and the restart unbound after global IPv6 on WAN is available.
When I have corrected all of the above, my clients can use DNS via IPv4 and IPv6 through the DoT unbound.
But overall Opnsense and IPv6 still don't want to be friends. ;-D