Messages

How to redirect all traffic to forward traffic to Unbound DNS/DNSCrypt  Current I have rule that

Interface LAN
Protocol TCP/UDP
Source LAN Net
Destination ANY
Destination port range DNS.

Or is related to the article that you have posted that would work with HOWTO - Redirect all DNS Requests to Opnsense injunction with you current article?
thanks

It is good explained in the HOWTO - Redirect all DNS Requests to Opnsense. It is only a recommendation and they are not dependent to each other. It should be a NAT Rule => "Firewall/NAT/Port Forward" and destination is "invert" + "Local Firewall Address" that means if your clients uses not the local firewall address for unencrypted dns (Port 53) it redirects the request to opnsense. If some clients in your network uses encrypted dns it would not apply.

I think you have a normal rule that is not correct...

have you tried to change the intervall? Not set the same IP for different gateways? I found these articles in the forum:
https://forum.opnsense.org/index.php?topic=11430.0
https://forum.opnsense.org/index.php?topic=11448.0

- now i deleted both gateways
- configured on ipv6 gateway: uncheck disable gateway monitoring, set ipv6 monitor ip, set upstream gateway and set the priority to 1
- configured on ipv4 gateway: uncheck disable gateway monitoring, set ipv4 monitor ip, set upstream gateway and set the priority to 2
- apply settings
- reboot and it works again

i tested this with 2 reboots in half hour. i don't know if this works for you too?

i have the same issues. since they changed the monitorgateway to dpinger i have this problems only with the ipv6 gateway.

i tried to configure the priority from the both gateways to different values. standard priority is 254 on both and i used 1 for the ipv6 gateway and 2 for the ipv4 gateway. on opnsense 19.7.10 it runs good with reboots but now i upgraded to 20.1 and i have the same issues again.

does this replace using stubby?

stubby uses DoT and dnscrypt-proxy uses DNSCrypt or DoH and optional DNSBL. difficult to say what is better. depend of privat/business yousecase. i think DoH for client <-> resolver requests and DoT for server <-> resolver requests. DNSCrypt seems not so populate but has more privacy features. you don't can use both for the same ports. only with different and then you must handle the request from the clients. i like the option from dnscypt-proxy to use an own serverlist from trusted server and it always use the fastest. DoH seems to be the fastest way because existing technologies and knowledge for https requests can be used for this. loadbalancer, haproxies, not blocked ports...
with an cronjob on opnsense you can restart the service from dnscrypt-proxy every 15min or 30min and it use the fastest server again. for me a good combination. all can be configured over the gui. Not necessary to install packages over cli.
If you use the firewall only for you and you are the only admin thats ok to configure the firewall with custom configurations if you know what you do.
If you use the firewall for customers/other admins or only not familiar with deep firewall knowledge its diffcult to handle custom options and manual installations of packages. stability, troubleshooting. some configs over gui. some over cli... not really supportet and so on...

but this is only my experience ;-)

karlson2k:
This will work if you have host override. But any single domain override will break it.

On the other hand, even if you don't have any overrides, line "server:" will not harm anything.

So safe and future-proof solution is to add "server:". In this case configuration will not break after future changes, which can include domain overrides.

thats correct. I have only 1 host override. i will add this to the Tutorial. Thank you for the explanations.

karlson2k:
Yes, it must be set to "All". Otherwise configuration will not work.
It worth to mention it in your "HOWTO".
I spent some time before figured out why my configuration doesn't work at all.

thats already in the Tutorial ;-)

The geoip with alias's addition to OpnSense came at a good time. According to ipleak.net mine was using a dnscrypt server in China. Seems like a bad idea. I had no idea dnscrypt-proxy servers in cn were add to the official list.

thats why you can use your trusted and favorite servers on "Server List" ;-)

Thanks for the additional informations. I had no problems over 1 year with this config and also opnsense has this in his official documentation, see:
https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html?

domain overrides change section from "server:" to "forward-zone:".
To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no"

I have 1 override in unbound and all works fine. But People who has problems can try to write "server:" at the beginning on "custom options". This already exists in unbound.conf.

Also, if you are not worried about a few leaked DNS requests, you can use option "forward-first: yes" so if DNSCrypt-Proxy is failed (or not started yet), Unbound will fallback to normal resolving. This gives you a much more stable but a bit less private configuration.

If DNSCrypt does not start i want to know that. For me this is not an option that unbound use a fallback resolver or forwards dns query to the systems dns. Maybe you don't know that encrypted dns fails over weeks. DNSCrypt has a fallback resolver.

Also make sure that you did not set any specific "Outgoing Network Interfaces" otherwise Unbound will fail to connect to loopback addresses.

In the past i choosed "localhost" on Outgoing Network Interface because i had the assurance that traffic goes to DNSCrypt but this is removed since opnsense 19. Now you must choose "All".

Kind Regards

I have updated the Tutorial...

Happy New Year to All  ;) 8)

Auf meiner Instanz wird mir gar nicht Localhost als Unbound Outgoing Interface angeboten...
Wenn ich aber alle Interfaces als Outgoing angebe, funktioniert die Weiterleitung von Unbound zu DNSCrypt-Proxy so wie oben beschrieben. Das ist aber m.M. nach ein unsauberer Workaround einfach All zu benutzen.

Muss ich irgendwo noch was konfigurieren um die Option mit Localhost zu bekommen?

wurde mit der 19er Version entfernt...

Sorry, can't follow. What exactly do you want to achieve.

If you use Cloudflare in the Server List you can't access the Domains postbank.com and postbank.de. My idea was to redirect the DNS query to another Server (example Quad9). If i use this on Unbound DNS it works. If i configure this in the DNSCrypt-Proxy under Forwarders it don't work.

@mimugmail:
i have tried to configure the exceptions under Services/DNSCrypt-Proxy/Configuration/Forwarders
but it don't work. In my opinion this would be the right place? Have you any ideas?

Du könntest 2 versch. DNS Resolver verwenden. z.B Unbound und Bind oder DNSmasq. Du kannst diese ja nur für bestimmte Interfaces nutzen wo die entsprechenden Vlans liegen...

i have updated the tutorial...

The different  between Cloudflare and Quad9 is that Cloudflare use QNAME Minimisation and Quad9 not and Quad9 is slower. Results on https://cmdns.dev.dns-oarc.net/

Cloudflare:
(see Attachment: Cloudflare_DNS-Results.png)
https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7441;image

Quad9:
(see Attachment: Quad9_DNS-Results.png)
https://forum.opnsense.org/index.php?action=dlattach;topic=10670.0;attach=7443;image

Thank you very much! Seems to work flawlessly. You should add that to your tutorial and mention that some sites may have broken dnssec support and you can add them that way as an exception.

This problem seems to be only at Cloudflare but its caused by Postbank
Another options is to use Quad9 DNS Server in the Server List of the DNSCrypt-Proxy Plugin on OPNsense

Code Select Expand


quad9-dnscrypt-ip6-filter-pri
quad9-dnscrypt-ip4-filter-pri


Then you don't have to add exceptions to the custom config in Unbound DNS. But Quad9 seems to be more slowly.

Kind Regards