OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: abulafia on September 11, 2021, 08:56:20 pm

Title: Unbound issues
Post by: abulafia on September 11, 2021, 08:56:20 pm

While running Unbound as a local resolver, I had come across three issues:

1. Unbound fails to resolve certain domains. I have no DNSBL in Unbound. Unbound only delivers the CNAME, but no A record. When using Unbound as DoT forwarder, it resolves the hostname normally.

2. Even though I have unchecked "Flush DNS cache during reload", the statistics and cache are cleared with every Unbound reload. This should not happen.

3. Unbound failing to start, see https://github.com/opnsense/core/issues/5150 -  I don't experience this anymore, though.

Has anyone experienced similar issues or could suggest possible (configuration) errors?

Title: Re: Unbound issues
Post by: Fright on September 12, 2021, 03:01:37 pm

1. can you give an example please?
2. how did you check this (log? cache dump?) and this option has nothing to do with statistics afaik

Title: Re: Unbound issues
Post by: abulafia on September 14, 2021, 11:08:37 pm

Thanks -

1. I was afraid of this question - it was a website for Germany's far-right party (I don't like them, I did not vote them, but I had to look up their site nonetheless). Need to reset Unbound to resolver mode to check.

I have also had these issues, I think, with Apple and Microsoft sites (though no DNSBL enabled).

I have Adguard Home as primary DNS on :53 which then forwards to unbound at 127.0.0.1:5553.

Response seen in Adguard Home e.g. for www.bing.com:

Quote

Response details
Status
Allowed
DNS server
127.0.0.1:5553
Elapsed
115 ms
Response code
NXDOMAIN
Rule(s)

www.bing.com
hl2guide

Response
CNAME: a-0001.a-afdentry.net.trafficmanager.net. (ttl=21600)

Later Adguard shows proper resolution:

Quote

Response details
Status
Allowed
Elapsed
0.06 ms
Response code
NOERROR
Rule(s)

    www.bing.com
hl2guide

Response
CNAME: a-0001.a-afdentry.net.trafficmanager.net. (ttl=60)
CNAME: www-bing-com.dual-a-0001.a-msedge.net. (ttl=60)
CNAME: dual-a-0001.a-msedge.net. (ttl=60)
A: 13.107.21.200 (ttl=60)
A: 204.79.197.200 (ttl=60)

2. Statistics got reset to zero and resolve times shot up again. So: No thorough checking.

Title: Re: Unbound issues
Post by: andrema2 on September 15, 2021, 03:02:56 am

Hi

Just my 2 cents here. I had some sites not resolving and it turned out to be Strict QNAME minimisation checked. Once I unchecked it all is good.

Title: Re: Unbound issues
Post by: Fright on September 15, 2021, 07:38:09 pm

@abulafia
+1 to what @andrema2 said.
based on https://github.com/opnsense/core/issues/5150#issuecomment-894844062
you have qnameminstrict enabled. can you try without it?
(in short: with qnameminstrict enabled unbound stops trying to resolve a name when "broken" DNS server returns "wrong" response code on Empty Non-Terminal record query)
https://datatracker.ietf.org/doc/html/rfc7816

Quote

2. Statistics got reset to zero and resolve times shot up again. So: No thorough checking.

IMHO the stats will be cleared in any case. and there is no way to save it on reload (and "Flush DNS cache during reload" option not related to this)
cache loading after reload can be checked with the

Code: [Select]

unbound-control -c /var/unbound/unbound.conf dump_cachecommand or by enabling debug logging and looking at where the unbound gets the results from (for the purity of the experiment, it is better to disable the "Prefetch Support" option at SERVICES: UNBOUND DNS: ADVANCED)

Title: Re: Unbound issues
Post by: abulafia on September 16, 2021, 06:35:39 pm

Thank you both! Indeed I have strict QNAME minimisation enabled.

Going on holiday this weekend so will only be able to follow up later, but thank you very much for the pointers!