OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: cookiemonster on June 25, 2021, 07:07:32 pm
-
The problem: there is no name resolution on the firewall itself. Updates fail, etc. Drill from the console fail i.e "OPNsense:~ % drill example.com
Error: error sending query: Could not send or receive, because of network error"
The setup:
Version: OPNsense 21.1.6-amd64
System > General:
DNS Server is empty and all other three options are not ticked.
As expected /etc/resolv.conf contains "nameserver 127.0.0.1"
I run the "stubby" dns resolver on 127.0.0.1 on port 8053.
Doing a drill command domain search from the console giving it the port 8053 works fine. Stubby works.
Unbound options:
server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@8053Unbound is set to LAN and WAN.
Services > DHCPv4 LAN has in the DNS Servers "192.168.5.154" which is the ip of my pi-hole, set to send the client queries upstream back to OPN's static lan ip of 192.168.5.1 that by the unbound forwarding, pushes the query from port 53 to 8053 and everything is good.
My DHCP clients asking DHCP options get an ip and told to use pi-hole for dns queries. There are a couple of nat & firewall rules to force any client trying to bypass it. So far so good. All works as expected.
This included also the firewall itself when I finished setting this up.
I noticed yesterday, after some reboots have happened that the name resolution wasn't working on the firewall.
My troubleshooting hasn't showed me a lot, probably I'm not using the logging correctly.
For instance if I manually add the port in /etc/resolv.conf then the problem goes away as expected from the setup.
Ticking/unticking "Do not use the local DNS service as a nameserver for this system" adds/removes the loopback but doesn't resolve the problem and I wasn't expecting it to.
So the question is if the "forward-addr" forwarding should be expected on the firewall, i.e. it should work as a valid configuration OR it should not be expected by me to work and therefore, What should I do to make the persistent sending of dns queries to 127.0.0.1:8053 on the firewall system (not dhcp clients, that works).
I'll appreciate some guidance.
-
Asking in a different way.
What option in the UI need I use in order for OPNsense to use the DNS server set in the unbound forward-addr: directive for system updates for example?
I could script simply adding it to /etc/resolv.conf after boot, but I would have thought it is an out-of-the-box option that simply I have overlooked.
Thanks.
-
Unbound options:
server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@8053Unbound is set to LAN and WAN.
Are you manually inserting that code block into the 'Custom options' field in 'Services: Unbound DNS: General'? Does it end up in your generated `/var/unbound/unbound.conf`?
What option in the UI need I use in order for OPNsense to use the DNS server set in the unbound forward-addr: directive for system updates for example?
It looks like you can use the 'DNS over TLS Servers' setting in 'Services: Unbound DNS: Miscellaneous'. The template used to generate the `unbound.conf` snippet for this section looks a lot like what you're already doing (https://github.com/opnsense/core/blob/stable/21.1/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf). Perhaps try setting 'DNS over TLS Servers' to '127.0.0.1@8053' and see if that works.
-
Hi. Yes these options are in the custom options field and yes -thanks for the hint-, they do end in the /var/unbound/unbound.conf file.
Also I did come across the option in the UI to use TLS which would negate the need to use stubby.
TLS for the dhcp clients via Stubby works fine, my issue is that the firewall itself is using localhost instead of localhost on the port 8053 I need it to .
Thanks, It gives me an idea of a test I can make.
-
The problem is solved now.
I am unsure if there was an expected change after an update to 21.1.6 that caused a behaviour change although I doubt it, it's most likely me missing it to begin with.
I had to change in System, General, Settings and select (tick) "Do not use the local DNS service as a nameserver for this system".
This didn't seem to be needed before when I set all this up but as I say, it probably wasn't working as I expected and I hadn't noticed.
-
I'm glad you managed to figure this out.
For clarity's sake, I'm assuming the chain of DNS queries for clients is 'Pi-hole > Unbound > Stubby' and the intended query chain for the host is just 'Stubby'. If this assumption is correct, what are the relevant settings under 'System: Settings: General' and 'Services: Unbound DNS: General' (possibly also 'Services: Unbound DNS: Miscellaneous') that got it working for you?
Specifically, did you end up keeping the Unbound 'Custom options' block, or was it just a case of setting 'Do not use the local DNS service as a nameserver for this system' as checked (to remove the default `127.0.0.1` line in `/etc/resolv.conf`) and adding '172.0.0.1@8053' in one of the 'DNS Server' fields.
-
Hello, my apologies I didn't get the notification.
Your assumed query is corrrect: client > unbound > Stubby. And the firewall is going to Stubby.
'System: Settings: General' has no DNS server set, all the dns servers fields are blank.
'Do not use the local DNS service as a nameserver for this system' is ticked.
'Services: Unbound DNS: General' has in 'custom options':
server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@8053If you want me to share any of the other settings used, just let me know.