Messages

Services > Unbound DNS > Log File ... ?

This is indeed where they are.

Not sure why i missed this yesterday.

Now i hope i can trace, why the forwarder stops to work. As that is my issue. For some reason it it just stops to forward the DNS requests, without any real error message.

Code Select Expand

2025-03-12T11:04:57 Informational unbound [58442:1] reply: 172.17.0.20 nu.nl. A IN REFUSED 0.000000 1 23
2025-03-12T11:04:57 Informational unbound [58442:9] reply: 172.17.0.20 mail.google.com. A IN REFUSED 0.000000 1 33p
[/quote]

This is interesting....

Why could they be REFUSHED?



I have a question, where can i find the logfiles?

I have an issue that sometimes unbound stop forwarding DNS request to a forwarded DNS server based on domain name.
This works, but stops without clear error message in unbound log files. After a restart it works directly.

So i need some extra logfiles to start troubleshooting the issue. But where can i find the logfiles that i now enable?

[available in the Open community version]

The latest version of Graylog now includes support for OPNsense log parsing. No need to maintain custom code for parsing and best of all it is available in the Open community version: https://go2docs.graylog.org/illuminate-current/what_is_illuminate/graylog_illuminate.html

The only downside I've found is that it is labeled as "pfsense"  :)

are you sure its avaiable in the opensource version of graylog? Was what I can find, you need for illuminate the Enterprise version of Graylog.

Requirement(s)
Supported versions include Sense CE edition 2.6 and OPNsense 23.1.
Graylog server with a valid Enterprise license running Graylog 5.0.3+.

It was a restore of about 1 year ago. Not a factory default reset or something like that.

It as the configuration of about 12 months ago.

I could also not find any logs with "factory" in it.

So this was not happening in this case.

I had exactly the same problem. I was not upgraded yet to  22.7.7_1.

I was make some firewall modifications, and noticed a change in rules. I was missing data, that definitely was there before.

I noticed yesterday also that my IPTV did not work anymore, why i did not know yet.

Today i did an upgrade to  22.7.7_1, and my SSL certifictes from Lets Encrypts where changed during the upgrade to a year back. After reboot, all my IPSEC configurtion was also set back to long a go configurtion and my Interfaces had a configuration of a year back, as my ISP has changed this year.

So with the upgrade something really went wrong... Lucky have a daily backup script on my NAS, so i can restore my settings of last week. As i don't trust my configuration anymore.

Something is really wrong, as it looks like multiple users are facing this issue?

I'm not sure if I find the time for it. Is there already a feature request in github?

Good one, i have no idea i have to say.
I just lifted on this topic.

Where can i do / find this? I will raise one, if there is none yet.

Yes this should be ..

Do you maybe know if this will be part of 21.7 release?

Yes this should be ..

if you want me to test something, just let me know.

I have done some testing, and got it to work.

Code Select Expand

rspamadm dkim_keygen -b 2048 -s opndkim -k /tmp/opndkim.key | sudo tee -a  /tmp/opndkim.pub
chown -R rspamd: /tmp/opndkim.*
chmod 440 /tmp/opndkim.*


This generate the DKIM keys on my tmp location.

I changed in my configuration file, with a domain selection.

Code Select Expand


/usr/local/etc/rspamd/local.d/dkim_signing.conf

# Please don't modify this file as your changes might be overwritten with
# the next update.
#

  allow_envfrom_empty = true;
  allow_hdrfrom_mismatch = false;
  allow_hdrfrom_multiple = false;
  allow_username_mismatch = false;
  auth_only = true;
  #path = "/var/lib/rspamd/dkim/$domain.$selector.key";
  selector = "dkim";
  sign_local = true;
  symbol = "DKIM_SIGNED";
  try_fallback = false;
  use_domain = "header";
  use_esld = true;
  use_redis = false;
  # Hash for DKIM keys in Redis
  key_prefix = "DKIM_KEYS";
 
  domain {
    # Domain name is used as key
    mydomain.com {
      # Private key path
      path = "/tmp/opndkim.key";
      # Selector
      selector = "opndkim";
      }
  }


I just needed to add mydomain.com with the selector and the key location.

This worked for my, all the configuration was reset after a restart from opnsense rspamd service, and the keys are not saved at a correct location and i did not use the redis database.

Would this be enough information to configure something from the GUI for this?
If needed to can do some more testing/configuring.

I'm also really interested on this feature. Is there maybe an update on this feature?

My current ISP relay host detects my scanner email as spam, what i can't solve.

I was just looking for a solution, and was ready to setup the relay on OPNSense, as this would perfectly fit my solution. Even better than my ISP setup, as i have everything under my own control.

But... No DKIM, would be a no go.

You could try to create a routed IPSEC Tunnel. I think this solved the issue.

Other solution is to create a static route for the IP Range and set the gateway to the LAN interface (or an other one).

I have 3 OPNSense Firewall with IPSEC tunnels between them.

One of my locations has some DNS issues.

Nov  5 21:32:44 OPNsense.DenHaag.xxxx.local charon[23490]: 45[LIB] resolving 'ipsec.xxxx.info' failed: Name does not resolve
Nov  5 21:32:45 OPNsense.DenHaag.xxxx.local charon[23490]: 46[LIB] resolving 'ziggo.xxxx.nl' failed: Name does not resolve

The IPSEC VPN goes after this down, but I can't trace the issue, why this is happingen.
A restart of the IPSEC service solved the issue. The IPSEC VPN tunnels are made within seconds after that restart.
The DNS is working for all the clients, so its not a direct resolve issue.

As it looks like a DNS issue, i have double checked my DNS configuration:
System/Settings/General:
DNS Servers: 8.8.8.8, 8.8.4.4 Use Gateway: none
DNS server options:
Allow DNS server list to be overridden by DHCP/PPP on WAN: Not Selected.
Do not use the local DNS service as a nameserver for this system: Not Selected

Services/Unbound DNS:
General: 
Network Interfaces: LAN
DNS Query Forwarding: Enable Forwarding Mode
Local Zone Type: Transparant


I just did a search on the system.log of that time.


Nov  5 22:38:30 OPNsense.DenHaag.xxxx.local /update_tables.py[85636]: unable to resolve xxx.filemakerconsulting.com for alias Block_FileMakerPro
Nov  5 22:39:00 OPNsense.DenHaag.xxxx.local /update_tables.py[85636]: unable to resolve filemakerconsulting.com for alias Block_FileMakerPro

So it looks like there are more issues with DNS.
I can see in my smokeping that there was a high latency with packat drops on the WAN. So that explains some issues with the DNS resolving.
But then that was done, the system messages where also gone.

But when the DNS worked fine, it looks like the IPSEC did not notice it, and needed a restart of the service. But how could i prevent this?