Messages

Sorry for the delay, I was rolling around in the dirt with my kids (camping) the last several days.

You're only getting a response from 1.1.1.1?  Nothing from 127.0.0.1?  Is 1.1.1.1 the only DNS you have configured?

What happens if you put 127.0.0.1 in the Server box and repeat the lookups?

Yes, 1.1.1.1 is the only DNS server configures.  If I use 127.0.0.1 and resolve google.com in the GUI, I get nothing.  No response.  No error.

What do you have under these sections?

System -> Settings -> General -> Networking section

Just the 1.1.1.1 - everything else is blank or unchecked.

Services -> Unbound -> Query Forwarding

Nothing

Services -> Unbound -> DNS over TLS

Nothing

Obviously the Query Forward needed to be configured.  So I checked the "use system DNS servers" and google.com (and penthouse.com) is now resolving.  I had this checked before, but stated "I'm a bit all over the place".

So I enabled DNSBL for porn, and penthouse.com now returns 0.0.0.0 as expected. 
Then I added penthouse.com to the whitelist and it is resolving again, while other sites still return 0.0.0.0 - as expected.

So I must have had some wonky setting somewhere that I 'fixed' by factory resetting.  And once we realized I needed to add the forward back in - viola.  All is well in my kingdom. 

Thank you for the patience and support. 

Yes, I am the admin of the prod instance as well. 

Using the built in GUI tools, I get valid responses for both google and penthouse.  It defaults to the DNS I have configured on the device, 1.1.1.1

Ok, I (re)installed OPNsense from ISO on a new VM and it is having trouble resolving before any blocklists are enabled/disabled.  Keep in mind this is a lab, which is behind another 'production' OPNsense.

It is plain vanilla, with the exception of bogon and private networks being allowed in the WAN config.

But if I login to the shell and run ....

1) drill @1.1.1.1 penthouse.com ; it returns correctly.  This leads me to believe I am getting thru the prod OPNsense w/o issue.
2) drill @127.0.0.1 penthouse.com ' returns SERVFAIL.  As does any domain name.

I am nearly positive this is somehow my lack of understanding.  So thank you for your patience. 

I get the same from FreeBSD (see attached).  It *appears* to be Unbound on OPNsense. 

I had modified Unbound to return the 10.10.10.10. 

So I've been working on this for days.

1) reset OPNsense to defaults, set DNS to 1.1.1.1, enable resolver, DNSSEC, and harden DNSSEC, time server = Chicago
2) verify DNS works from OPNsense and Mint test server - everything works as expected.
3) add one domain under Blocklist/Blocklist Domains (penthouse.com)
4) client host dig returns 0.0.0.0 - as expected
5) remove pentouse.com (Clear All) from Blocklist Domains, Apply, restart Unbound
6) now every query returns SERVERFAIL from the client (tried clearing DNS cache, tried different tools - nslookup, host, etc)
7) But OPNsense drill returns correctly

Nothing I have tried fixes this.  Unbound is just broken and every lookup from the client returns SERVERFAIL.

I am downloading a FreeBSD ISO to build a new clinet in the lab to test with. 
 

I installed Wireshark and this might be a clue.  "Cannot handle DNSSEC security RRs".  I will research about DNSSEC and OPNsense/Unbound and see what I can find.

-M

Frame 41: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) on interface 0
    Interface id: 0 (wlp2s0)
        Interface name: wlp2s0
    Encapsulation type: Ethernet (1)
    Arrival Time: Jul  4, 2023 15:55:27.994215369 CDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1688504127.994215369 seconds
    [Time delta from previous captured frame: 0.031023893 seconds]
    [Time delta from previous displayed frame: 0.031023893 seconds]
    [Time since reference or first frame: 3.385878928 seconds]
    Frame Number: 41
    Frame Length: 85 bytes (680 bits)
    Capture Length: 85 bytes (680 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: b0:6a:41:ec:cc:80 (b0:6a:41:ec:cc:80), Dst: IntelCor_25:cb:32 (80:00:0b:-:-:-)
    Destination: IntelCor_25:cb:32 (80:00:0b:-:-:-)
        Address: IntelCor_25:cb:32 (80:00:0b:-:-:-)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: b0:6a:41:-:-:- (b0:6a:41:-:-:-)
        Address: b0:6a:41:-:-:- (b0:6a:41:-:-:-)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.x.x, Dst: 192.168.x.x
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 71
    Identification: 0xaa0a (43530)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x627f [validation disabled]
    [Header checksum status: Unverified]
    Source: 192.168.x.1
    Destination: 192.168.x.202
User Datagram Protocol, Src Port: 53, Dst Port: 58392
    Source Port: 53
    Destination Port: 58392
    Length: 51
    Checksum: 0x33f3 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 2]
Domain Name System (response)
    Transaction ID: 0xb909
    Flags: 0x8580 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        login.live.com: type A, class IN
            Name: login.live.com
            [Name Length: 14]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0
    [Request In: 40]
    [Time: 0.031023893 seconds]

Thank you for the response.  Just FYI, I have 2 OPNsense setups.  One I am using - live - for my household.  And one in a lab.  I am seeing the behavior in both.

I am waiting just a minute or so after Applying and then restarting Unbound. (update: I waited over an hour - just to see if it mattered - it did not).
If I click on the 'add to whitelist' in the reporting, yes the domain shows up in the whitelist - list.
I am using Linux Mint for testing - both 'dig' and 'nslookup'.  I am also using a browser to open sites.
I added a specific destination address in the Blocklist config, so I can definately tell when Unbound DNS is giving me a blocked response.
If I disable DNSBL, or even untic one of the lists, it works as designed.

Using nslookup, I noticed the whilelisted domain gets no response, versus the 10.10.10.10 I would expect to see.

(broken whitelist)
$ nslookup login.live.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
*** Can't find login.live.com: No answer

(non-blocked domain)
$ nslookup live.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:   live.com
Address: 204.79.197.212

(normal blocked domain)
$ nslookup penthouse.com
Server:      127.0.0.53
Address:   127.0.0.53#53

Non-authoritative answer:
Name:   penthouse.com
Address: 10.10.10.10

Version 23.1.11

I have read several other posts that seem to be related, but have not really seen a resolution.  Since the previous post is > 120d, I am starting a new one.

I have a fresh install and have enabled DNSBL and everything is working as expected.  Except we are blocking xbox due to login.live.com being included in one of the lists.  I see it blocked on the reports.  To whitelist it, I have tried entering (multiple versions of) the name and have also clicked the 'Whitelist Domain' button next to the 'Top Blocked Domains' in the Unbound DNS reporting page - which just adds it to the whitelist I already tried - but :shrug:. 

Regardless, the domain continues to be blocked even after the whitelisting.

Any help is appreciated.  I am fairly new to the OPNsense community so if my question(s) sound newbie-ish, my apologies up front.