Messages

I decided to use Unbound exclusively and setup DNS over TLS towards NextDNS. No hostnames but it works flawlessly with all the benefits that won't work with the other setups.

Could you please check with dnscheck.tools if you experience any dns leaks? Maybe also try it several times, sometimes I see only NextDNS server but most of the time I can also see cloudflare as well as opendns servers... I am not sure about if I have something misconfigured. I have created a post here in the forum but so far no one responded. Since you are using NextDNS exactly as I did I would be interested to see if this behaviour like me. Thanks!!

Impossible because I "catch & redirect" DNS through a NAT rule back to OPNsense. Unless some client (like mobile devices) connects through "secure DNS", basically DNS over TLS or HTTPS. I'm not sure if I could catch those but my own devices don't do that so its only guest devices and I don't care enough.

Yes, its the same on my setup, catch and redirect DNS through a NAT rule. I didn't understand what's impossible? To check if you have any leaks or that leaks should be impossible?

Thanks for that tip, i will have a closer look at it. Since I want to have unbound managing my internal DNS and forwarders the only viable option is your ,,the other way around" suggestion. Will follow up as soon as I know more. Thanks!

hostname should contain:

your ID.dns.nextdns.io.  not what you have listed

The Hostname was created according to instructions on NextDNS. I just have added the name of my firewall in the beginning just to see it is really my device... I have just concealed my ID for this forum.

local zone is changed to static?

yes

when you login to the nextdns page.  does it show. your ip sync and it says you are using their service?

Yes I can see on mynextdns.io that it works.

general dns servers should still have a backup DNS server there according to the manual

can I put the unbound internal dns there or does it have to be a public one?
edit: I have just used the standard IPs from mynextdns dashboard and it seems it has fixed the issue. Still dont understand why... I dont want to use them??
Edit 2: other DNS Servers just popped up again. This didn't solve it, I anyway didn't understand why it would...

I decided to use Unbound exclusively and setup DNS over TLS towards NextDNS. No hostnames but it works flawlessly with all the benefits that won't work with the other setups.

Could you please check with dnscheck.tools if you experience any dns leaks? Maybe also try it several times, sometimes I see only NextDNS server but most of the time I can also see cloudflare as well as opendns servers... I am not sure about if I have something misconfigured. I have created a post here in the forum but so far no one responded. Since you are using NextDNS exactly as I did I would be interested to see if this behaviour like me. Thanks!!

Not sure if you are able to look at the uploaded screenshots, I had to convert them into a smaller format so that I can post them due to the requirements of very small filesizes here.... or maybe my post is not clear enough?

Hi all, I am struggling with an issue I wasnt able to solve for myself since months and I am not sure if it even is an issue.

I am trying to use DNS of TLS feature within the Unbound Settings. There I have entered the details for nextdns and that works so far. All external DNS is going through nextdns and is logged there properly.

The problem I face is that I am not sure if the DNS is leaking also to other DNS servers. I use dnscheck.tools to see which DNS Servers are used and there I see the nextdns servers but also many different other ones. I am wondering if those are a result of unbound recursions or real leaks?!

Would be glad if one of our experts here can provide some Tips for me.

Attached are SCs of my setup (couldnt figure out how to include into the text)

Schau dir das mal an, ich hab mein Unbound in Verbindung mit nem VPN so eingerichtet, ist zwar ein größeres Prohekt aber man lernt viel damit: https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/#overview

LG

Hi, I would like to stick just with the native blocklists in opnsense. Do you know which kind of lists should be preferred? Which ones are best for performance? Wildcard or hosts/domains?

Hi I also encounter problems with native unbound Lists ending with .conf... Why does the unbound implementation within opnsense seem to be different vs. the standalone cli version? Is it really broken?

could you explain what exactly you have figured out? I was searching for this topic and found your question here. Would be great if you could elaborate on it a bit. thanks

an diesem Punkt enden alle threads zu diesem Thema. :-\
Habt ihr aufgegeben oder es gelöst?

Falls es jemand gelöst hat wäre super wenn hier mal alle FW Rules gezeigt würden. Macht ja keinen Sinn die Setups/Rules aus diesem Thread zu probieren, wenn sie nicht zum Erfolg führen. Wäre SEHR Dankbar dafür!

LG


EDIT 1:
Ich habs jetzt mal gelöst indem ich ganz einfach 2 Aliasse gebaut habe:
- alle Sonos Speaker (Hosts, -->feste IPs) im IoT Netzwerk
- alle Controller (Smartphones, Computer mit Controller App) im LAN Netzwerk

Regel auf dem IoT Netzwerk:
Pass TCP on IoT net from "alle sonos speaker" to "alle Controller"

Draufgekommen bin ich durch folgenden Post: https://forum.opnsense.org/index.php?topic=16769.msg76469#msg76469

Ist zwar nicht ganz sauber weil Sonos jetzt zuviel darf, aber besser krieg ichs aktuell nicht hin. Sobald ich ein schärferes "Rezept" finde das auch so effizient ist, werd ichs mir wieder ansehen,...

Hi @D0bby, have you been able to solve it? Having a similar issue here.

UDP Broadcast Relay is installed and the values are set right as they are also shown above.

Hey

UDP Broadcast Relay--> IoT,LAN,UntrustedLAN   239.255.255.250       1900   2   Sonos

The Situation is that from my Main LAN Net I cannot reach the system via Sonos APP. Interestingly I can still control it via an App called MBC on my mac. Listen to playlists and grouping are possible. But the full spectrum eg accessing accounts for different Apps like in the official sonos controler is not possible with the MBC App. Obviously I would like to use the orginal app.

I have some firewall rules set to isolate that IoT Network from other networks and now I need to create new "pass" Rule(s) for this.
Not sure if its useful, my current rules for this IoT Net are below.


The problem is, I have only very limited experience and needed to read everything up but nothing worked yet. So if you or anyone else here can push me a little into the right direction or has already an answer, that would be awesome!

Thanks!

EDIT:

I solved it by following this: https://forum.opnsense.org/index.php?topic=16769.msg76469#msg76469

TLDR simply building 2 aliases:
- all Sonos speakers (hosts, -->fixed IPs) in the IoT network
- all controllers (smartphones, computers with controller app) in the LAN network

Rule on the IoT network: Pass TCP on IoT net from "all sonos speaker" to "all Controller"
Not super clean but efficient and it works!

DANKE @pmhausen!!! :D

Wichtig ist es nicht, kann also weg ;)

Danke für deine Einschätzung! Das macht Sinn so und auf diese Meinung bin ich auch in Gesprächen mit Kollegen und Erfahreren Technikern gekommen!

Was ich noch nicht herausgefunden hab ist, wie kann ich das Logging von Bogons und privaten IPs auf meinem WAN deaktivieren? In der FW sind das Standardregeln die nicht ,,modifizierbar" sind.

LG tabsats

Wieso nicht einmal einen Dump dieser Pakete machen?

Danke für den Hinweis, ich bin skill-mäßig noch nicht so weit, sowas einfach so zu machen und vor allem die Ergebnisse daraus dann sinnvoll zuordnen zu können, aber ich werde mich da mal einlesen und es versuchen.

Ich habe einen VMG1312 im Bridge Mode. Aber ich kann deinen besagten Traffic nicht feststellen.

Ich vermute dass der Traffic auch nicht normal ist. Mein ISP meinte dazu dass sie mir nicht helfen können solange ich das Modem "bridged" habe, können die nix sehen. Vielmehr hatte ich aber das Gefühl dass ich sie mit meiner Frage genervt hab  :D

Glasfaser Anschluss?

Nein, Kabel - Die Leitung ins Haus ist natürlich Glasfaser aber wird dann zu mir in die Wohnung über die Antennenbuchse geleitet...