Messages

screen shot 3.  i would turn off DNS within dnsmasq. change listen port to 0.      you also do not need dnssec enabled if using quad 9

i use unbound and it works 100% reliable.

i setup dns over tls for quad 9 or similar products though. 

Important caveat: You will NOT get name resolution for local DHCP clients if the dnsmasq DNS server is turned off, as Unbound will not read the dnsmasq DHCP client list automatically.

I am using dnsmasq for local resolution and Unbound is for resolving on the Internet.

I do get a boost from CDNs but I am not sure the juice is worth the squeeze. With that said I am now setup for DoT only and DNSSEC is turned off on both dnsmasq and Unbound.

OK so I turned off DNSSEC on both dnsmasq and Unbound. I configured gthe DoT stuff in Unbound and tested successfully from the OPNsense CLI.

Thank you!

If you use DoT do you just configure the nameservers in that Unbound section and you are good to go? For example the Quad9 DNSSEC IPs?

So this brings up an interesting question. If unbound is by nature recursive do I need to forward to another nameserver on the Internet? Is that just an extra step that gets me nothing but log entries of my activity?

Hello all,

I made the move to DNSmasq for local DNS and DHCP services, with Unbound as my authoritative server that looks at Quad9 on the Internet. Attached is my Dnsmasq config and Unbound config. Am I missing anything in the configs? Lastly I am using the DNSSEC services from Quad9. When I try to hit their URL for this I get back an unable to parse request message. Does this mean I do not have DNSSEC configured correctly?

Thanks,
Steve

Boo hoo! Thanks for the quick reply.

So I just have to change the TTL?

I set the TTL to 86400 but never had this issue with ISC. With ISC I could delete the lease but I do not see that option in dnsmasq.

Morning all,

I am using dnsmasq as my default DHCP server. I have two DHCP entries that do not seem to want to clear from my leases. Attached is the screenshot. You will see 192.168.1.68 and 192.168.1.78. Both VMs do not exist but I cannot seem to clear them. How can I fix this?

Thanks,
Steve

Hello all,

I am using Quad9's Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled DNS service. How do I configure Unbound to handle this? Do I need to worry about dnsmasq DNS services also?

Thanks,
Steve

It's ALIVE!!!

I am live on the new firewall, with the new vlan structure. I am still working out a few wireless vlan kinks but nothing too onerous. Speaking of wireless I went to begin building my new Unifi VM. I had a problem getting IP from my dnsmasq DHCP server but figured out that since I turned off VLAN 1 I had to reset default to VLAN 2, including normal PVIDs. All good!

Id like to think I am good...but sometimes you just gotta walk away from the problem and then come back to it later...which is what I did. I found that the Linux vlan for the Proxmox GUI IP was incorrect in my brave new vlan world. Modified it, rebooted, and yes the GUI is available. At this point its time to deploy the new firewall. If I can do this tomorrow morning I will try to get to it. I will need to reboot all devices using vlan 1, which is not many.

Ok so I was not able to get to the Proxmox GUI. Going to reboot and see if that helps.

And away we go!

Got a connection to the GUI. DHCP gave me an IP, so I know that is working.

Right now I use vlan 1 as my mgmt vlan. In this new build I am moving it to vlan 2 and vlan 1 will no longer be used.

Now to see if I can get to the Proxmox GUI on vlan 3.

OMG...really Franco? Its there in 25.7.8? Firing up a test unit!