Messages

That did the trick  :D.

Thank you very much.

From the firewall itself it works but from internal networks encrypted redirections do not work at all. It is the same that happens with DNSMasq.

Just for closing the thread. As I have said in a different post abot DNSMasq, Unbound does not work in my case because the internet provider is blocking access to Root DNSs for home accesses.

Thanks to all the people that tried to help.

Well, I finally decided to do a fresh install from scratch and just Wan and LAN active with no other changes made in config. The results were the same and I checked the DNS logs. With Unbound and using the standard config (DNS pointed to itself), the firewall could not update nor find any URL. Apparently, the internet provider  (Movistar Spain fiber optics) is blocking access to the root servers (I checked the requests but there was no answer), and therefore, there is no name resolution, until you specify alternative DNS servers.

Something similar happens with redirect DNSMasq and DNSSEC which is blocked by the operator (not the requests made directly from the firewall).

I looked for these things in Movistar forums and found that they justify it in order to avoid internal DNSs in home or small companies sites, with may have potentially insecure configurations and, therefore, be the target for DNS poisoning. So, to avoid it, they do not admit full DNSs like Unbound or encrypted DNS forwarding. Apparently the configuration is different for other types of network accesses.

So it is like it is in my case and I have to trust that the operator filters DNS traffic correctly. It is their policy and the justification is reasonable.

Anyway, thanks for your help.

No, Unbound is not running, OPNSense does not allow both of them running at the same time. I do not know what else to do except start from scratch , test Unbound and DNSMasq with the fresh new installation and later on restore my present configuration from a backup. The problem is that I will have all my devices (including my wife´s PC) disconnected from Internet for some time, and that is keeping me from doing it, above all, because I am not sure that it will solve the problem.

One other thing I was thinking, and I do not think is the problem, but just to discard it. My Firewall is behind the carrier router, and therefore I have double nat. Do you think that may have something to do with the problem. I have to keep it that way because my line is fiber optics and the carrier uses a special configuration for TV.

Thank you very much for your help.

Good afternoon. When I ask from the PC, no RRSIG and, of course, no name resolution. However, when I ask from the firewall, the RRSIG packets are there and the response is correct.

Does it make any sense to you?.

Good morning. Some days ago I opened a topic about UNBOUND not responding or responding SERVFAIL to clients in VLANs even though the same request made from the firewall was responded correctly. None of the responses worked in my installation and I decided to try DNSMasq. With DNSMasq everything worked correctly until I activated DNSSEC. With DNSSEC active I could see the following behaviour:

- From the firewall itself DNS requests worked correctly all the time.
- From VLAN clients, if the url was already in cache (from a previous firewall request, for example), everything worked
- From VLAN clients, if the url was not in cache, the request did not work.

In this last case, I made a packet capture for port 53 in both the VLAN and the WAN and I could see that the request went form the local PC to the firewall, and then from the firewall to the configured DNS servers (1.1.1.1 and 8.8.8.8 in my case) which responded with the A record address requested. The strange thing is that, after that, the firewall responded a SERVFAIL to the client and the response was not cached.

To me this looks in some way similar to the problem I had with Unbound. I have been checking OPNSense firewall log in both interfaces, local VLAN and WAN to see if something was rejected and the problem was some missing rule but nothing was rejected apart from the UDP 1900 that I do not allow.

I do not like to have dns configured without DNSSEC but, for now, is what I have since it does not work otherwise, and I would be grateful if somebody could give a way to make it work.

Thank you in advance.

I answer myself: Just check the Route all traffic through the tunnel  :)

I do not know why I did not see it before.  Anyways, I think the help regarding Local net as a series of ipv4 CIDR separated by commas is wrong.

When I try to set two diffrent LAN segments in my LAN I get the followin error:

'192.168.30.0/24, 192.168.40.0' in 'Red Local IPv4' may only contain valid ipv4 CIDR range(s) separated by commas.


The error in itself is illogic since, as you can see, the ranges are valid ipv4 CIDR. The problem is that, apparently, only ONE range is allowed. and therefore, either there is an error in the coding or in the help and documentation.

Can you set up your client so that all client communications go through the VPN tunnel?

I have done the packet capture and the requests seem to be forwarded but, for some unexplained reason, sometimes they are returned to the origin and some other times not, and "NOT FOUND" message is returned. As I explained in my initial posts, Unbound works for some requests and not for others, and it does so in a very consistent manner: some FQDNs ALWAYS are resolved correctly and some others NEVER do. The only thing I have seen in these last ones are that they use AKAMAI, but I do not know if all the FQDNs that use AKAMAI have the same problem (for example www.marca.com)

May be there is some explanation for this but this kind of inconsistency is strange.

Yes, it is checked to use the system DNS in both cases and I do not have any custom dns domains, everything is per default.

Regarding the use for local domains, I do not see any check for that in any of the DNS configuration screens, either in unbound or system configuration.

How are your Forwarding and DNS over TLS entries configured? Are you trying to resolve local domains as well?

I tried what you said:

- My rule gateway was already default
- I added the PCs network in CIDR format to the Unbound Access List explicitly

Now, something has changed according to Unbound Register. The request seems to be forwarded, which is something that did not happen before but, however, the request is not fulfilled, at least not always, because some requests seem to be responded or, at least, I can access the site in Chrome, but most of them not.

So, there seems to be some improvement but it is still not working properly.

I am really confused about this.

Since I am still in the hardening process, I have a rule to open everithing gooing out:

Source: PCs network
Port: any
Destination: any
Ports: any
Gateway: Default

Should this work?

(Later on I will set the rules for specific protocols and ports but I have this rule for the moment so that I can access Internet)

I have recently installed OPnSense and I have configured different VLANs and Interfaces. I have also configured a DMZ for a server that has to be accesible from Internet. The WAN interface has static IP and DNS configured in the general settings since I have to keep the broadband router in the middle so that my fiber optics connection and TV keeps working. Everithing is working fine except that I have had to explicitly assign DNS servers to every internal network in the DHCPV4 config instead of keeping the default, that is, the firewall. I am using Unbound, with DNSSec enabled and I have also enabled Forwarding and DNS over TLS without overrrides. However, forwarding is not working because, if I take out the explicit DNS servers from the DHCPV4 assignments in order to use the firewall as DNS, I cannot access Internet from my PCs.  I have even checked packet capture and I do not see anything coming out of the WAN interface.

I have checked and rechecked documentation and Internet postings without success. I think that, if this was an OPNSense error, it would be all over because Unbound with the firewall as DNS for internal networks is the standard configuration, and therefore, I must be missing something in my settings.

Can anybody help me sort this out?.

Thanks in advance.