OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: BeNe on February 25, 2018, 12:24:14 pm

Title: Unbound IPv6 DNS not always ok
Post by: BeNe on February 25, 2018, 12:24:14 pm
Hello OPNSense Users,

i have a question about Unbound and IPv6. My DNS resolution doesn´t work everyting for the IPv6 interface. I need to restart Unbound DNS once a day to get it working. Here is my current output and problem on a client, no DNS via the IPv6 Address of the OPNSense:

Code: [Select]
Microsoft Windows [Version 10.0.16299.125]
(c) 2017 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\MyUser>nslookup
DNS request timed out.
    timeout was 2 seconds.
Standardserver:  UnKnown
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

> ard.de
Server:  UnKnown
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.
>

If i use the IPv4 Address of my OPNSense - Unbound works perfect:
Code: [Select]

C:\Users\MyUser>nslookup - 172.16.17.254
Standardserver:  firewall.my-net.local
Address:  172.16.17.254

> ard.de
Server:  firewall.my-net.local
Address:  172.16.17.254

Nicht autorisierende Antwort:
Name:    ard.de
Address:  83.125.35.3

>

The IPv6 Address of the OPNsense LAN interface is right and i can ping it for the client:
Code: [Select]
C:\Users\MyUser>ping 2003:85:ae35:59f0:20d:b9ff:fe43:5398

Ping wird ausgeführt für 2003:85:ae35:59f0:20d:b9ff:fe43:5398 mit 32 Bytes Daten:
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=5ms
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=2ms
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=6ms
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=6ms

Ping-Statistik für 2003:85:ae35:59f0:20d:b9ff:fe43:5398:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 2ms, Maximum = 6ms, Mittelwert = 4ms

After i restarted the unbound service manually, the IPv6 DNS resolution works as well for the whole day:

Code: [Select]
C:\Users\MyUser>nslookup
Standardserver:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

> ard.de
Server:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

Nicht autorisierende Antwort:
Name:    ard.de
Address:  83.125.35.3

> mdr.de
Server:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

Nicht autorisierende Antwort:
Name:    mdr.de
Address:  193.22.36.128

> google.de
Server:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

Nicht autorisierende Antwort:
Name:    google.de
Addresses:  2a00:1450:4016:801::2003
          172.217.22.227

>

My Internet connection get´s a reset every night at 3:00 o´clock. So i thought about the new IPv6 prefix, but that is already correct in the Unbound Listening Address List. Also Unboud did a service reset at 5:00 o´clock (i don´t know why but it´s ok for me)

Does anybody have the same behavior ? Or can i create a cron job for reset the unbound service again ?
Thanks for any hints  :)
Title: Re: Unbound IPv6 DNS not always ok
Post by: john9527 on February 26, 2018, 08:18:58 am

Does anybody have the same behavior ? Or can i create a cron job for reset the unbound service again ?
Thanks for any hints  :)

Not sure if it's carried over to WIN10, but in previous versions windows nslookup was broken if the request came in via IPv6 (would work as you saw if you forced it to IPv4).   Do you have a linux box attached to try?
Title: Re: Unbound IPv6 DNS not always ok
Post by: BeNe on February 26, 2018, 11:06:37 pm
Thanks for your anwer.

The situation under Linux is the same. I get a timeout if i use the IPv6 Address for the OPNsense Box under Linux.
After a manually restart of Unbound DNS - the DNS resolution for IPv6 works perfect under Linux and Windows.
BUT i need to restart the service to get it working for IPv6.


So as a quick and dirty workaround:
How can i create a CronJob on my own to restart the Service ?
Can´t find a point in the GUI under Cron - specially for restart a service or set a manually command ?!

Thanks for your help!
Title: Re: Unbound IPv6 DNS not always ok
Post by: franco on February 27, 2018, 08:30:47 pm
Are you using special interface settings in your Unbound setup as in "Network Interfaces" or "Outgoing Network Interfaces"?


Cheers,
Franco
Title: Re: Unbound IPv6 DNS not always ok
Post by: BeNe on February 27, 2018, 11:30:01 pm
Hi Franco,

yes, but i don´t know if it is that special. I use some VLAN here. The OPNsene is in every Network (VLAN) the Default Gateway, DHCP, NTP and DNS Server. Every network has it´s on IPv4 /24 Range and a IPv6 Prefix (track from WAN)

Here are my Settings (sorry for the big size)

(https://i.imgur.com/NJX89zu.jpg)
(https://imgur.com/dSjXvhQ.jpg)
Title: Re: Unbound IPv6 DNS not always ok
Post by: franco on February 28, 2018, 07:17:25 am
It has been known to cause problems. There is a similar setting under "Advanced" on that page. Try setting both of them to "All" to see if that helps.


Cheers,
Franco
Title: Re: Unbound IPv6 DNS not always ok
Post by: BeNe on March 01, 2018, 11:40:55 am
Thanks for you answer, franco.

I set both "Network Interfaces" and "Outgoing Network Interfaces" to "ALL" - but the problem is still the same.
No IPv6 DNS Resolution after the night (Telekom reconnection)

As quick and dirty workaround i would create a CronJob to restart the Unbound service. But i can´t find a Option under Cron or an option to set a manaully command. I can also set it directly in /etc/crontab ?

Title: Re: Unbound IPv6 DNS not always ok
Post by: franco on March 01, 2018, 11:52:24 am
You may be a victim of https://github.com/opnsense/core/commit/4f955e4f7cb but that doesn't apply cleanly as a patch at the moment. It has a fix for IPv6 default routes that seemed to be missing from our code since 2014 due to reworks in the code base while we forked...

For the moment you can use /etc/crontab and reload using "service cron restart". The command to restart unbound (and all of DNS) is:

# pluginctl dns


Cheers,
Franco