1
23.7 Legacy Series / Re: [CALL FOR TESTING] Unbound DNS over TLS without explicit CA bundle
« on: December 03, 2023, 06:56:48 am »
Patch applied and working. Many thanks.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: December 02, 2023, 10:24:16 am »
@lar.hed Thank you for pointing this out.
Glad it solves your issue 👍. I will probably wait for the new OPNsense release which hopefully will include this. Had no chance to apply the patch.
Quote
After I applied the patch that franco requested to be tested: https://forum.opnsense.org/index.php?topic=37243
Glad it solves your issue 👍. I will probably wait for the new OPNsense release which hopefully will include this. Had no chance to apply the patch.
3
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 28, 2023, 07:38:13 pm »
And another "fun" fact is when DNS stops working when DoT is enabled.
I do not get any more packages over WAN when sniffing via
But i still get packages via
And Unbound Service still seems to be running as a process or is clearly visible in the GUI as a still running service...
And also my overrides list to my internal apps is still working, which means unbound generally works except for name resolution to the world wide web
In graphics this means
I do not get any more packages over WAN when sniffing via
Code: [Select]
tcpdump -i igb1 'port 853' # WAN DoT
But i still get packages via
Code: [Select]
tcpdump -i igb0 'port 53' # LAN DNS
And Unbound Service still seems to be running as a process or is clearly visible in the GUI as a still running service...
And also my overrides list to my internal apps is still working, which means unbound generally works except for name resolution to the world wide web
In graphics this means
Code: [Select]
WWW <--DoT:853--> Unbound (DoT) <-x-BROKEN?-> Unbound (DNS) <--DNS:53-WORKS--> Lokal Clients
| |
-------------------- DNS:53-WORKS ----------------------
4
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 28, 2023, 07:26:35 pm »
And I am back on Unbound DNS without DoT.
Disabling DNSSEC did not work, it stopped working again after a very short period of time with DoT enabled and using Quad9. I probably will try cloudflare to eliminate the fact that quad9 itself can be the issue, but I doubt it.
However it is not absolutely clear how to disable DNSSEC at all for me except from the flag under Services -> Unbound -> General -> Enable DNSSEC Support (uncheck and apply) and Services -> Unbound -> Advanced -> Harden DNSSEC Data (uncheck and apply), but I think thats it.
I have OPNsense 23.7.9 installed (latest as for now) with unbound 1.19.0. No change in issue.
My unbound config (as is configured over UI), but probably not very helpful and DoT disabled!
/var/unbound/unbound.conf
Disabling DNSSEC did not work, it stopped working again after a very short period of time with DoT enabled and using Quad9. I probably will try cloudflare to eliminate the fact that quad9 itself can be the issue, but I doubt it.
However it is not absolutely clear how to disable DNSSEC at all for me except from the flag under Services -> Unbound -> General -> Enable DNSSEC Support (uncheck and apply) and Services -> Unbound -> Advanced -> Harden DNSSEC Data (uncheck and apply), but I think thats it.
I have OPNsense 23.7.9 installed (latest as for now) with unbound 1.19.0. No change in issue.
My unbound config (as is configured over UI), but probably not very helpful and DoT disabled!
/var/unbound/unbound.conf
Code: [Select]
##########################
# Unbound Configuration
##########################
##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python iterator"
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes
# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10
# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf
# Static host entries
include: /var/unbound/host_entries.conf
# DHCP leases (if configured)
# Custom includes
include: /var/unbound/etc/*.conf
python:
python-script: dnsbl_module.py
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: /var/unbound/unbound_server.key
server-cert-file: /var/unbound/unbound_server.pem
control-key-file: /var/unbound/unbound_control.key
control-cert-file: /var/unbound/unbound_control.pem
5
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 26, 2023, 12:09:57 pm »
Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls.
6
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 25, 2023, 01:30:18 pm »
Its also worth noting, that a new OPNsense Release 23.7.9 is out now with a new Unbound Version 1.18.0 -> 1.19.0, with some bugfixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 however not finding anything related to DoT or DNSSEC in the bugs section, but I also do not know the library itself and its code, so I will give it a try and check if it will work again with DoT and DNSSEC enabled.
7
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 25, 2023, 01:17:56 pm »
Yes without having these set, which leads me to believe that the problem lies there. But that's just my personal amateur opinion. If I find time, which is rare these days, I will investigate further.
8
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 24, 2023, 12:19:44 pm »
Running now 7/24 without interruption.
9
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 18, 2023, 07:34:13 pm »
I want to give some update about my issue as I am facing the same issue with unbound dns stopping to work randomly.
I freshly installed OPNsense 23.7 from scratch and did a configuration restore via backup restore process, after that I upgraded again to the latest Version 23.7.8. After that I switched back from Dnsmasq to Unbound DNS with DoT and DNSSEC enabled.
After aprox. 5min DNS stopped working again and after various restarts and switching from Dnsmasq and Unbound back and forth, always after some short random time DNS stopped working on Unbound DNS again.
After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.
This setup is now stable for at least 24 hours!
As a side note, before fresh install, when I was troubleshooting the issue, I can remember that I got SERVFAILS when checking with tcpdump eg.
P.S: I have a PC-Engines APU4 Board.
P.P.S: I did a health check of the system, I did even try a check unbound config based on https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#testing-the-setup. All checks good and logs do not seem to indicate an issue, which makes this thing hard to troubleshoot.
I freshly installed OPNsense 23.7 from scratch and did a configuration restore via backup restore process, after that I upgraded again to the latest Version 23.7.8. After that I switched back from Dnsmasq to Unbound DNS with DoT and DNSSEC enabled.
After aprox. 5min DNS stopped working again and after various restarts and switching from Dnsmasq and Unbound back and forth, always after some short random time DNS stopped working on Unbound DNS again.
After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.
This setup is now stable for at least 24 hours!
As a side note, before fresh install, when I was troubleshooting the issue, I can remember that I got SERVFAILS when checking with tcpdump eg.
Code: [Select]
tcpdump -v -i igb0 dst port 53 # LAN showing SERVFAILS, when DNS stopped working
tcpdump -v -i igb1 dst port 853 # WAN when DoT enabled
P.S: I have a PC-Engines APU4 Board.
P.P.S: I did a health check of the system, I did even try a check unbound config based on https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#testing-the-setup. All checks good and logs do not seem to indicate an issue, which makes this thing hard to troubleshoot.
10
23.7 Legacy Series / Re: Either Unbound or the latest patch (23.7.xxxx) broke my connection
« on: November 02, 2023, 07:15:21 am »
Same happening to me when (I think i upgraded from 23.7.3 or 4 to 23.7.7_1, then 23.7.7_3) on OPNsense 23.7.7_3. After that random stopping/crashing of dns (unbound) and had to switch to Dnsmasq and add DNS Servers under Settings -> General -> DNS Servers to make my router work again.
When I remember correctly a ping works, which means it definitely looks like a DNS issue...eventually only with DoT users with DNSSec enabled or also people without it? I use DoT to quad9 (9.9.9.9 and 149.112.112.112) but not sure if this is relevant. Can someone confirm that also stops and crashes without DoT and DNSSec enabled?
No clue where to look for as It does not look like Unbound DNS throws any errors.
I also did not find a matching issue report on
Another thread maybe following the same issue might be the one here: https://forum.opnsense.org/index.php?topic=35527.75
Would be realy nice to have at least a clue about the progress or what the cause could be...
When I remember correctly a ping works, which means it definitely looks like a DNS issue...eventually only with DoT users with DNSSec enabled or also people without it? I use DoT to quad9 (9.9.9.9 and 149.112.112.112) but not sure if this is relevant. Can someone confirm that also stops and crashes without DoT and DNSSec enabled?
No clue where to look for as It does not look like Unbound DNS throws any errors.
I also did not find a matching issue report on
Another thread maybe following the same issue might be the one here: https://forum.opnsense.org/index.php?topic=35527.75
Would be realy nice to have at least a clue about the progress or what the cause could be...
Pages: [1]