Messages

Came looking for something on this and here it is!  thank you for the information have sensei-db removed now.

well, I feel a bit silly. Long story short I have an Unifi USW-24 switch that isn't playing nice with OPNsense (not sure why yet) and a laptop (that I used to try to pinpoint the source of the issue) with Docker Windows and Chocolately that was messing up 127.0.0.1 on that laptop.  Once I swapped out the Unit for Brocade ICX7250 the DNS issue on all my devices (except my test laptop went away.  The issue with that one went away after I uninstalled Docker).

So I'm back to having a kick-ass OPNsense deployment on my box.  Sorry, all for the false alarm.

Ok if found how to stop using 127.0.0.1 in "DNS server options" but that still hasn't fixed the issue.

I noticed in Interfaces > Diagnostics > DNS Lookup that 127.0.0.1 was list (along with other DNS services) and this was taking around 2.5x longer response times the first time I tested any specific website.  If I did the same website a second time (+) that went down to zero msec (the others were in the teens). 

Do I need to use 127.0.0.1 if I'm using unbound with TLS?  If not how do I remove this?

I wasn't aware that a pfsense backup would work for OPNsense since while they share a history they are quite different beasts.

Hello all,

I've noticed a problem whenever anyone goes to a website for the first time.  It's fairly slow opening a webpage for the first time (browsers sit on "resolving host" for 10-20 secs or so).  I am currently using unbound with TLS going to Cloudflare.  Any guidance on this issue would be appreciated!

Thank you

not sure what happened but I did a reboot for another unrelated reason and when I got back to this it was working.

I ended up going back to just plain Cloudflare DNS IPs.  The CF team's DNS added extra lag to all my computers (mostly during the "resolving host" which normally goes really fast but also "connecting" and "waiting for cache"). Soon as I switched back everyone's browsing was back to normal.

Awesome!  Thank you.  I had tried it with just the xxxx's and that did not play well.  =  )  I now see the requests in the Teams logs.

Thank you for the info!  Is there any way of knowing (get a notice) when the gateway falls back to an unsecured DNS?

Great post, I had used the same guide not knowing it wasn't the best. 

Cadish, your example has a bunch of XXXX in it, is that default or are we supposed to plug in some type of information there?

Thank you all!

Hello,

I have my DNS TLS working as per: https://sahlitech.com/opnsense-setup-unbound-dns/

In those instructions (and other places) tell you to NOT put in DNS in the System > Settings > General area.  BUT when I attempt to set up my DDNS I see this:

You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work.

Looks like my option is to enable the "allow DNS Server list to be overridden..." but I'm not exactly sure that this does/how it works/will impact the DoT setup?  Do I need to exclude an interface?

fair enough, I didn't understand how it was enabling DoT (I'll go over the instructions again).  Is that the best/proper way to enable DoT or is there a better way?  I had done the DNSCrypt guide (https://forum.opnsense.org/index.php?topic=10670.0) but that did not work (as far as my ISP) and it ended up breaking a number of my kids streaming services (Could not connect to Hulu, etc..., streaming devices kept giving notice that the internet was down every few mins even though it wasn't).

Anyway, I appreciate your time and assistance! 

The DNS IP's were really for example.  I do have a DNS running on a VPS but that doesn't help me b/c I'm in the same pickle since AT&T will hijack the DNS no matter where I'm sending it.

I have been going through a number of guides and after 5-6 tries I found this one: 

https://sahlitech.com/opnsense-setup-unbound-dns/

I followed that and I have no clue why but now I'm able to use the DNS of my choice and my ISP is not hijacking it!  I get the correct reply to made-up domains.  I'm curious (just for my edification) why this method of setting up unbound worked where just selecting my own DNS in the settings did not.

I should have been a bit more specific.  I'm aware that OPNsense can define the DNS you would like to use.  I have done it from System > Settings > General > Networking > DNS Servers (ex:  1.1.1.1. and 1.0.0.1) and from Services > DHCPv4 > LAN > DNS Servers (just in case it worked here). 

As Greelan stated if I just use the default settings (as above) my ISP will redirect all DNS to their own.  I have always checked this by a simple nslookup or dig to a made-up TLD (ex:  nslookup ijustmadethisup.tld).  If my preferred DNS (1.1.1.1, 8.8.8.8, 9.9.9.9, whatever) was actually being used then I would get a non-existent domain error.  But when my ISP hijacks/redirects DNS I actually get a non-authoritative answer with an ISP IP addy.