Messages

Just as a point of clarification, define what you mean by "internal DNS queries".  i.e. internal domains that only resolve locally? Or do you mean how to point all devices to unbound instead of external DNS? Or something else? :)

Internet <- (WAN)[opnSense](LAN) <- [internal-router] <- [switch] <- [server-running-BIND-resolving-from-opnSense-unbound] + workstations all resolving from BIND (ie: nothing resolves directly from opnSense unbound)

works flawlessly; only use case not working: opnSense internal lookups (eg: updates): not using/detecting unbound running; they go looking up the DNS servers in the general settings

[how do I manage to direct internal DNS queries to unbound]

For now, try manually selecting a different mirror from the Firmware settings page?

OK. I finally found the issue: the updater/installer is querying the System / Settings/ General / DNS servers (which in my case are all blank) since I am using unbound with DNS over TLS and so the servers are specified in their own section within the service settings. That's why doing host ibm.com etc (within the opnSense shell) never showed up on the DNS log.

For starters I set one of those general DNS servers ti 1.1.1.1 and managed to update to 22.1.9 as usual -same mirror, no problems at all.

Since I implemented DNS over TLS a couple of months ago I never managed to update opnSense again, but it never occurred to me that was the issue to begin with, my fault ... sorry guys !

Now, specific question is, how do I manage to direct internal DNS queries to unbound instead to some of these general servers which I want to have them set to none since all my show is with unbound DNS over TLS ?

For now, try manually selecting a different mirror from the Firmware settings page?

Thanks for your reply.

Already did it: same issue with every other one.

I think the problem is within unbound config for the opnsense box: I enabled log queries for unbound and I can see every query being requested from BIND from my server. But, if within the opnsense box I do: host whatever.com etc there is nothing logged, so, there is a problem with:

a) restricting unbound to answer queries within

System / Settings / General / DNS server options:  Do not use the local DNS service as a nameserver for this system ... is DISABLED; OK, not this one

b) allowed interface

Services / Unbound DNS / General / Network Interfaces: LAN only ... OK

c) some unbound access list

Access List Name    Action    Network
Internal    Allow    127.0.0.1/8
Internal    Allow    ::1/64
Internal    Allow    #.#.#.1/29 ... my (sanitized) LAN address

aclDNS (the only one ACL present):
action allow
networks
#.#.#.# CDIR 0 (my (sanitized) LAN address) already-NATed IntraNet DNS server; ie: all BIND queries are NATED to this host only by another router on LAN ... working as expected because I can surf the web etc
127.0.0.1 CDIR 8 ... just added this one in case the internal one is being overrided by this ACL ... to no avail; same behavior

Question: I within opnSense shell I do host ibm.com ... from which address should this query be coming to unbound ? I presume 127.0.0.1 am I right ?

My /etc/resolv.conf (in opnSense of course) is set to 127.0.0.1

I am using opnSense since last December and I updated/upgraded it a couple of times without any issues, however, since 22.1.3, I am not able to update/upgrade it anymore, and I've been trying for a month or so,

Code Select Expand

Enter an option: 12

Fetching change log information, please wait... fetch: transfer timed out

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
pkg-static: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/22.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg-static: http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/22.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Error updating repositories!
Starting web GUI...done.
Generating RRD graphs...done.

No matter what, I always get "fetch: transfer timed out" either from the GUI or the console, and it takes a lot of minutes for opnSense to report the "failed update". My connection is not the best I admit, but, while opnSense is running the update process I manage to access from my browser all the resources opnSense cannot access; eg:

https://www.opnsense.org
http://mirror.sfo12.us.leaseweb.net/opnsense/
https://mirror.sfo12.us.leaseweb.net/opnsense/

... etc. My browser in on a workstation behind opnSense like my server which is running BIND from opnSense unbound. Although I often have time-outs due to a not-so-good connection I can work everyday with it, moreover, today I just updated arch-linux and manjaro system behind opnSense using the same BIND from unbound setup that I am running for almost half-a-year and I have no problems at all. But I cannot manage to update opnSense from 22.1.3 to 22.1.9 or newer.

And I cannot understand why, if opnSense gets DNS time-outs, it takes so long to complain, or, it it gets a time-out for the change-log information at beginning it still insists to proceed with the update sequence. It seems to me if the change-log cannot be retrieved, due to a time-out-or-whatever-else, and if the change-log is a mandatory requirement for the update sequence why it is not aborted/interrupted after n-time-out seconds. 60 seconds should be enough to inform the user the update cannot proceed for whatever reason, 5-10 minutes ... is totally out-of-question. It is a simple check.

Question:

Is there a way to update opnSense from the CLI from a downloaded opnSense image ?

Can I manually download the packages from the mirror and place them in the opnSense package cache ? (I suppose /var/cache/whatever) ... will opnSense use them or will it insist on downloading them ?

First and foremost: I am posting here because I didn't find a more suitable forum section.

OK the first time I login via https://forum.opnsense.org/index.php?action=login

But, after a while when I was automatically logged-out after n seconds (60 is the default) and I attempt to login once again I get the URL with the previous/current session ID; eg: https://forum.opnsense.org/index.php?PHPSESSID=t2hlaskhlfu54aq3dbq40ijso8&action=login

After entering my credentials once again I was redirected to where I was the last time but I am not logged-in. The menu shows the Login option instead of the Logout and obviously, I cannot post/reply etc.

If I select login in the menu once again I get the same URL with the session ID value attached.

If I manually remove the session ID; eg: https://forum.opnsense.org/index.php?action=login

... the login is successful.

Not a great deal, but exasperating when you attempt to use the forum for a successive batch of post/replies.

Yes. I know. I can bookmark https://forum.opnsense.org/index.php?action=login in my favorites and done.

But I think it should not be the case.

have you tried using Chrony plugin? it's a much better NTP, imho.

I din't know it ever existed.
I just did read the whole FAQ @ https://chrony.tuxfamily.org/faq.html
Pretty interesting overall: in particular the many common scenarios/situations that we often have at present vs the one considered when the original NTP implementation was coded.

Will try it; sure.

Thanks for pointing that :)

Do you have a FW rule allowing access to LANaddress (or alike) on port 123 UDP?

Probably not and probably he has a point.
I was about to reply this post stating that here it works as expected since last week I configured and I checked it many times over, but, when I went to the NTP status page today to copy my status on this post I found:

Services: Network Time: Status
Network Time Protocol Status
Status    Server    Ref ID    Stratum    Type    When    Poll    Reach    Delay    Offset    Jitter
No peers found, is the ntp service running?

A couple of days ago I udated to 22.1.3 from 22.1.1 (or 22.1.2 -I don't remember correctly since I updated a couple of times).

Needless to say I do not have any firewall rule added for NTP going outside and, of course, I have network connectivity since I am replying to this post through openSense.

Palemoon 29.4.4 linux 64 + OpenSSL 1.1.1m against openSense 22.1.3 + OpenSSL 1.1.1m here.

Code Select Expand

<ssl-ciphers>AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256</ssl-ciphers>

It connects with AES256-GCM-SHA384.

Code Select Expand

<ssl-ciphers>TLS_CHACHA20_POLY1305_SHA256</ssl-ciphers>

I cannot manage to connect with TLS_CHACHA20_POLY1305_SHA256 so I can get rid of AES256-GCM-SHA384.

even when I explicitly make them enabled; either by:

- enabling all of them with the top generic checkbox
- enabling them one-by-one with its associated checkboxes

when I apply the configuration all are shown enabled as I specified
when I select any other option on the GUI and then revisit the DNS over TLS page all of them are shown disabled

is this normal behavior or what ?

By the way I already-cleared the former (plain-DNS) servers on [System | Settings | General | DNS servers] and unbound is working as expected so I assume the servers added on DNS over TLS are honored.

Since I do not see any related options in the GUI under unbound ...

It seems I missed it ... my fault again:

https://.../ui/unbound/dot/index

Here I have DNS-over-TLS (aka DoT) support :)

[but not availability or confidentiality]

A small point: DNSsec is not encryption.

You're right; my fault:

From https://en.wikipedia.org/wiki/Dnssec: The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

From https://developers.cloudflare.com/1.1.1.1/encryption/: To prevent this and secure your connections, 1.1.1.1 supports DNS over TLS (DoT) and DNS over HTTPS (DoH), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries.

Since I do not see any related options in the GUI under unbound I guess I should research something akin the following: https://www.dnsknowledge.com/unbound/configure-unbound-dns-over-tls-on-linux/

When I configure unbound DNS service I automatically get the following access lists:

- Internal Allow 127.0.0.1/8
- Internal Allow ::1/64
- Internal Allow #.#.#.#/# ... my LAN address; eg: 10.0.0.1

I manually added aclDNS as following:

- Allow 10.0.0.2/0 ... internal DNS traffic is coming through this IP ONLY; ie: already-NATed by another router within my LAN

Generic traffic (sans DNS queries) will be going through 10.0.0.1.

So in this case I DO NOT WANT the automatically-added ACLs ... how can I get rid of them ?

My current configuration has:

- System ‣ Settings ‣ General : DNS Server set to 1.1.1.1 and 1.0.0.1 (CloudFlare)
- DNS Query Forwarding: [Enable Forwarding Mode] disabled
- DNSSEC: [Enable DNSSEC Support] enabled

The GUI help states: The configured system nameservers will be used to forward queries to.
The docs states: DNS Query Forwarding: Forward queries to configured nameservers in System ‣ Settings ‣ General : DNS Server

It seems this is NOT required since my configuration is already resolving from CloudFlare ... unless I don't understand something (most probably).

Can anyone clarify please ?

For example alongside the icon of the interface on Lobby | Dashboard | Interfaces.

Meaning an icon, text, whatever stating link quality.

It would really be welcome :)

Last night I got confused too by unbound related-settings.

My setup intends to be: employees -> BIND DNS server on company server -> unbound on opnSense router -> CloudFlare

The BIND DNS server should deal (unencrypted traffic to begin with) with unbound on opnSense and nothing more.
The unbound server/service on opnSense should query CloudFlare (encrypted traffic here; ie: DNSsec) answering BIND.

At this point I have the setup working sans DNSsec to CloudFlare which I am researching/laerning-how-to right now.

The point that relates to this post is that I, too, got confused by the settings under System | Settings | General | DNS servers.
I set those to 1.1.1.1 and 1.0.0.1 for CloudFlare (by the way setting their gateways to my WAN gateway).
unbound is configured to listen on LAN and going to the outside through WAN.
unbound is not configured for DNS Query Forwarding; Enable Forwarding Mode is disabled.

It is working but ... did I get the configuration right ?