OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: user1234 on September 16, 2017, 01:02:45 pm

Title: Unbound DNS problems
Post by: user1234 on September 16, 2017, 01:02:45 pm
I am trying out OPNsense for the first time and I am having lots of problems with DNS.
DNS works fine if I set unbound up as a forwarder and put 8.8.8.8/8.8.4.4 in the system settings.

However if I disable forwarding, DNS does not work at all. I thought in this mode it should fetch DNS responses from the root DNS servers, however it does not appear to be working. If I use tcpdump I can see lots of responses from root servers as well as ServFail responses.

If I try and use DNSSEC DNS also stops working for all my clients and in the log file I see "unbound: [65437:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN".

I have also noticed I am getting a lot of IPS alerts that are DNS related. With DNS forwarding disabled:
allowed   198.97.190.53   192.168.1.65   SURICATA DNS malformed response data

With DNS forwarding enabled:
allowed   8.8.8.8   192.168.1.65   SURICATA DNS malformed response data

Any idea what is wrong?

Here are my settings:

(https://i.imgur.com/G6yNGhd.png)
(https://i.imgur.com/6pkMsfG.png)
Title: Re: Unbound DNS problems
Post by: user1234 on September 24, 2017, 12:43:29 pm
Still having strange problems.

Finding DNS is failing for certain websites.
If I use a web browser on a client to go to https://www.raspberrypi.org/ I get ERR_NAME_RESOLUTION_FAILED however if on the same client I use nslookup I get a response. Looking in the unbound logs the I get the following when using a web browser.
Code: [Select]
Sep 24 11:47:25 unbound: [28264:0] debug: return error response SERVFAIL
Sep 24 11:47:25 unbound: [28264:0] debug: configured stub or forward servers failed -- returning SERVFAIL
Sep 24 11:47:25 unbound: [28264:0] info: processQueryTargets: www.raspberrypi.org. A IN
Sep 24 11:47:25 unbound: [28264:0] info: iterator operate: query www.raspberrypi.org. A IN
Sep 24 11:47:25 unbound: [28264:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
Sep 24 11:47:25 unbound: [28264:0] debug: cache memory msg=97767 rrset=107407 infra=5722 val=0
Sep 24 11:47:25 unbound: [28264:0] debug: sending to target: <.> 8.8.8.8#53
Sep 24 11:47:25 unbound: [28264:0] info: sending query: www.raspberrypi.org. A IN
Sep 24 11:47:25 unbound: [28264:0] info: processQueryTargets: www.raspberrypi.org. A IN
Sep 24 11:47:25 unbound: [28264:0] info: iterator operate: query www.raspberrypi.org. A IN

I only get this problem on a few websites. Any idea what is causing this along with my other problems above?
Title: Re: Unbound DNS problems
Post by: franco on September 24, 2017, 12:46:59 pm
Have you tested against Dnsmasq or the plain forward mode? Some ISPs meddle with the resolving.


Cheers,
Franco
Title: Re: Unbound DNS problems
Post by: user1234 on September 24, 2017, 12:50:59 pm
Using Dnsmasq it all seems to work fine.
Title: Re: Unbound DNS problems
Post by: user1234 on September 24, 2017, 02:59:37 pm
I would prefer to use unbound as this is now the default in OPNSense and allows more options/security.

Any idea how to debug unbound to work out why it does not work at all with forwarding disabled?

Thanks
Title: Re: Unbound DNS problems
Post by: franco on September 25, 2017, 11:06:49 am
I have two lines, one that works perfectly with Unbound and one that doesn't. I don't know why, but it is not related to OPNsense.


Cheers,
Franco
Title: Re: Unbound DNS problems
Post by: Nnyan on November 22, 2017, 12:43:16 am
I was just playing at getting my pi-hole VM up and running again (last time I ran into problems but was too busy to really take a look at this).  I basically wanted OPNSense DHCP to give clients the IP of my Pihole VM (to handle ad blocking) and pointed my pi-hole VM to the OPNSense IP.  Fine, but it was recommended (a number of online guides) that I use unbound.  But once I did that all hell broke loose again (every browser error under the sun) but basically some sites open others would not.

Searching around it seems that some ISP's have the tendency of hijacking DNS/NXDomain responses for commercial purposes.  I'm not sure why this would affect the unbound resolver (with and without forwarding checked) and not the dnsmasq forwarder but that's what I found.