OPNsense Forum
English Forums => General Discussion => Topic started by: Jay10 on February 24, 2023, 01:10:50 am
-
Hi All,
New to opnsense so I'm confident I have a setting wrong somewhere and have googled quite extensively to try and figure out the issue. I have found similar threads to my situation, but they seem to have either died off or been magically resolved with some setting the OP can't remember.
After setting up opnsense I decided to install adguard (on the opnsense host itself) - the same as I was previously doing on openwrt before switching over.
OPNsense Versions:
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023
Package Versions:
Adguard Home v0.107.25 - installed from mimugmail's repo "os-adguardhome-maxit" v1.8
Unbound v1.17.1_2
I believe the way I have setup things the flow should work like this:
LAN Clients -> Adguard (10.0.0.1:53) -> Unbound (10.0.0.1:5553) -> Upstream Servers (Unbound DNS over TLS)
When trying to update in GUI I am given this output -
***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1.1_2 at Thu Feb 23 23:22:38 GMT 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: No address record
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: No address record
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: No address record
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: No address record
Unable to update repository mimugmail
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
Obviously this leads me to believe it is a DNS issue, so I tried to resolve "pkg.opnsense.org" in Interfaces > Diagnostics > DNS Lookup -
Hostname:pkg.opnsense.org
Server:
Result -
Query failure
Error: error sending query: Could not send or receive, because of network error
So I repeated the test only this time specifying 10.0.0.1 as the server (presumably port 53) -
Hostname:pkg.opnsense.org
Server:10.0.0.1
Result -
Type:A
Answer:pkg.opnsense.org. 30 IN A 89.149.211.205
Server:10.0.0.1
Query time: 0 msec
Type:AAAA
Answer:pkg.opnsense.org. 340 IN AAAA 2001:1af8:4f00:a005:5::
Server:10.0.0.1
Query time: 22 msec
With the above... I am sure something needs changing to get OPNsense communicating correctly, but I am unsure what to do.
A few settings that might be applicable:
System > Settings > General:
Networking:
Prefer IPv4 over IPv6:✘
DNS Servers:none
Allow DNS server list to be overridden by DHCP/PPP on WAN:✘
Do not use the local DNS service as a nameserver for this system:✘
Services > Unbound DNS > General:
Enable Unbound:✓
Listen Port:5553
Network Interfaces:LAN,WAN
Enable DNSSEC Support:✓
Outgoing Network Interfaces:All
Services > Unbound DNS > DNS over TLS:
Server:9.9.9.9
Port:853
Verify CN:dns.quad9.net
Server:149.112.112.112
Port:853
Verify CN:dns.quad9.net
Server:1.1.1.1
Port:853
Verify CN:cloudflare-dns.com
Server:1.0.0.1
Port:853
Verify CN:cloudflare-dns.com
Services > Adguard Home > General:
Enable:✓
Adguard settings:
Upstream DNS Servers:
127.0.0.1:5553
Bootstrap DNS Servers:
127.0.0.1:5553
Private reverse DNS Servers:
127.0.0.1:5553
Use private reverse DNS resolvers:✓
Enable reverse resolving of clients' IP addresses:✓
Enable DNSSEC:✓
is anyone able to shed some light on the situation or have any ideas? Would also appreciate any suggestions if theres a better way to do things.
Apologies for the long post, but I figure it's probably very frustrating when people come with issues & no info.
-
What does the /etc/resolv.conf tell you?
-
Hi Zan,
Thanks for your reponse :)
root@OPNsense:~ # cat /etc/resolv.conf
domain home.arpa
nameserver 127.0.0.1
search home.arpa
so presumably it's looking to resolve to itself @ 127.0.0.1:53
Unbound is running @ 127.0.0.1:5553 (10.0.0.1:5553) & adguard @ 10.0.0.1:53
-
Looks normal.
Possibly ACL problem like Unbound/Adguard not accepting query from loopback
Can you try "drill google.com @127.0.0.1 -p 5553"
If it works then you should check Adguard's ACL to allow query from 127.0.0.1 or loopback adapter
-
What is your OPN LAN ip address?
-
Looks normal.
Possibly ACL problem like Unbound/Adguard not accepting query from loopback
Can you try "drill google.com @127.0.0.1 -p 5553"
If it works then you should check Adguard's ACL to allow query from 127.0.0.1 or loopback adapter
root@OPNsense:~ # drill google.com @127.0.0.1 -p 5553
Error: error sending query: Could not send or receive, because of network error
What is your OPN LAN ip address?
10.0.0.1/24
-
Do not use the local DNS service as a nameserver for this system:✘
Does that mean checked or unchecked?
-
Unchecked
Enabled - ✓
Disabled - ✘
-
I would first disable DoT in Unbound, until this is resolved. Not strictly necessary though.
It seems from the settings that this is the expected behaviour, probably can be confirmed with netstat showing there's no listener for Unbound on the loopback.
In AdGuard, change your "Upstream DNS servers" to 10.0.0.1:5553.
Same for "Bootstrap DNS servers" and "Private reverse DNS servers".
-
If I disabled DoT upstreams there would be no upstream providers.
Would I put them in Services>Unbound>Query Forwarding or System>Settings>General>DNS Servers
Adguard Upstream/bootstrap & private reverse now set to:10.0.0.1:5553
same issue
root@OPNsense:~ # ping google.co.uk
ping: Unknown host
root@OPNsense:~ # drill google.co.uk
Error: error sending query: Could not send or receive, because of network error
-
Yes good point about no upstreams if you clear out the DoT providers - I forgot my DoT upstreams go out in a different way.
Put a non-DoT one for now, say 8.8.8.8 for now and test again please.
-
Try this and see if unbound is listening on the loopback:
sockstat -l | grep 'unbound\|AdGuard'
If it does, then try this:
pfctl -d
drill @localhost -p5553 google.com
pfctl -e
to make sure it is not a firewall issue.
-
Do not use the local DNS service as a nameserver for this system:✘
This setting controls as per help that by default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbound is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.
Therefore if you have it disabled, the system is not using the loopback and the system has no alternative to use.
You could enable it and see it populate /etc/resolv.conf and I'm pretty sure the problem goes away.
If however you want it disabled, you'll need to give the system an alternative ie. forward to AdGuard.
-
Try this and see if unbound is listening on the loopback:
sockstat -l | grep 'unbound\|AdGuard'
If it does, then try this:
pfctl -d
drill @localhost -p5553 google.com
pfctl -e
to make sure it is not a firewall issue.
root@OPNsense:~ # sockstat -l | grep 'unbound\|AdGuard'
unbound unbound 57271 5 stream /tmp/php-fastcgi.socket-1
unbound unbound 57271 8 udp4 10.0.0.1:5553 *:*
unbound unbound 57271 9 tcp4 10.0.0.1:5553 *:*
unbound unbound 57271 10 udp4 95.151.***.***:5553 *:*
unbound unbound 57271 11 tcp4 95.151.***.***:5553 *:*
unbound unbound 57271 12 udp4 127.0.0.1:5553 *:*
unbound unbound 57271 13 tcp4 127.0.0.1:5553 *:*
unbound unbound 57271 14 udp4 10.0.0.1:5553 *:*
unbound unbound 57271 15 tcp4 10.0.0.1:5553 *:*
unbound unbound 57271 16 udp4 95.151.***.***:5553 *:*
unbound unbound 57271 17 tcp4 95.151.***.***:5553 *:*
unbound unbound 57271 18 udp4 127.0.0.1:5553 *:*
unbound unbound 57271 19 tcp4 127.0.0.1:5553 *:*
unbound unbound 57271 20 udp4 10.0.0.1:5553 *:*
unbound unbound 57271 21 tcp4 10.0.0.1:5553 *:*
unbound unbound 57271 22 udp4 95.151.***.***:5553 *:*
unbound unbound 57271 23 tcp4 95.151.***.***:5553 *:*
unbound unbound 57271 24 udp4 127.0.0.1:5553 *:*
unbound unbound 57271 25 tcp4 127.0.0.1:5553 *:*
unbound unbound 57271 26 udp4 10.0.0.1:5553 *:*
unbound unbound 57271 27 tcp4 10.0.0.1:5553 *:*
unbound unbound 57271 28 udp4 95.151.***.***:5553 *:*
unbound unbound 57271 29 tcp4 95.151.***.***:5553 *:*
unbound unbound 57271 30 udp4 127.0.0.1:5553 *:*
unbound unbound 57271 31 tcp4 127.0.0.1:5553 *:*
unbound unbound 57271 32 tcp4 127.0.0.1:953 *:*
root AdGuardHom 61200 13 udp4 10.0.0.1:53 *:*
root AdGuardHom 61200 14 tcp4 10.0.0.1:53 *:*
root AdGuardHom 61200 21 tcp4 10.0.0.1:8080 *:*
root syslog-ng 19509 22 dgram /var/unbound/var/run/log
95.151.***.*** is my Ext WAN IP - I removed the last 6 digits.
root@OPNsense:~ # pfctl -d
localhost -p5553 google.com
pfctl -epf disabled
root@OPNsense:~ # drill @localhost -p5553 google.com
Error: error sending query: Could not send or receive, because of network error
root@OPNsense:~ # pfctl -e
pf enabled
Before issuing the 'pfctl -e' above I was unable to browse the net from a LAN client - not sure if thats important.
-
Yes good point about no upstreams if you clear out the DoT providers - I forgot my DoT upstreams go out in a different way.
Put a non-DoT one for now, say 8.8.8.8 for now and test again please.
I disabled upstreams under Services>Unbound DNS>DNS over TLS.
And enabled them under Services>Unbound DNS>Query Forwarding.
IP:8.8.8.8
Port:53
IP:1.1.1.1
Port:53
Still the same results im afraid:
root@OPNsense:~ # ping google.co.uk
ping: Unknown host
root@OPNsense:~ # drill google.co.uk
Error: error sending query: Could not send or receive, because of network error
Do not use the local DNS service as a nameserver for this system:✘
This setting controls as per help that by default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbound is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.
Therefore if you have it disabled, the system is not using the loopback and the system has no alternative to use.
You could enable it and see it populate /etc/resolv.conf and I'm pretty sure the problem goes away.
If however you want it disabled, you'll need to give the system an alternative ie. forward to AdGuard.
Before ticking the above option:
root@OPNsense:~ # cat /etc/resolv.conf
domain home.arpa
nameserver 127.0.0.1
search home.arpa
After ticking the above option:
root@OPNsense:~ # cat /etc/resolv.conf
domain home.arpa
search home.arpa
-
you might be ok. What happens if you use dig instead of drill ?
But remove the entries in the query forwarding section.
if I recall correctly, by having no entries for DNS servers in Unbound, Unbound will send the query to the internet root servers.
So recap, for now avoid drill. Use any of the bind/dns-tools i.e. dig, host, nslookup, etc.
For now we're troubleshooting name resolution ON the firewall, so we want to stay local.
The firewall doesn't get forced to go to AdGuard at the moment, so all queries are local, you just need to direct the dig query to either of the running listeners.
Then you can check to update the system again.
-
root@OPNsense:~ # sockstat -l | grep 'unbound\|AdGuard'
root AdGuardHom 61200 13 udp4 10.0.0.1:53 *:*
root AdGuardHom 61200 14 tcp4 10.0.0.1:53 *:*
root AdGuardHom 61200 21 tcp4 10.0.0.1:8080 *:*
root syslog-ng 19509 22 dgram /var/unbound/var/run/log
I think we found the culprit. Your AGH only listen to LAN interface.
Edit your /usr/local/AdGuardHome/AdGuardhome.yaml and change the "bind_hosts" under "dns:" to '0.0.0.0' then restart AGH should fix this.
Edit: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file
-
As Cookie suggested, I just removed all upstream DNS & ran
host google.co.uk 127.0.0.1
which didn't work
then tried:
host google.co.uk 10.0.0.1
which was successful!
I was coming back here to report my findings and as soon as I read your message I knew, that would be it... Checked and sure enough it was set to only listen on LAN! This was my 2nd or 3rd attempt at removing everything and setting up from scratch...
The previous times I had it listening on all & this issue was still present - must have been a combination of issues.
For anyone that may find this thread from a search, all of my settings are exactly as in this thread.
Thank you both so much for all your help! (and patience).
What a great community!
-
Hey Jay10,
I have same exact situation where DNS is working everywhere else except local opnsense host. What have you done to resolve ? You mentioned you are using same setting but did multiple time reinstallation?
Thanks for this thread otherwise I was scratching my head.
-
Hey Jay10,
I have same exact situation where DNS is working everywhere else except local opnsense host. What have you done to resolve ? You mentioned you are using same setting but did multiple time reinstallation?
Thanks for this thread otherwise I was scratching my head.
I faced the same problem. I had to change the bind_host to
dns:
bind_hosts:
- 0.0.0.0
in /usr/local/AdGuardHome/AdGuardHome.yaml.
(also tried all other changes suggested here, didn't work)