Messages

Patch applied and working. Many thanks.

@lar.hed Thank you for pointing this out.

After I applied the patch that franco requested to be tested: https://forum.opnsense.org/index.php?topic=37243

Glad it solves your issue 👍. I will probably wait for the new OPNsense release which hopefully will include this. Had no chance to apply the patch.

And another "fun" fact is when DNS stops working when DoT is enabled.

I do not get any more packages over WAN when sniffing via

Code Select Expand


tcpdump -i igb1 'port 853' # WAN DoT


But i still get packages via

Code Select Expand


tcpdump -i igb0 'port 53' # LAN DNS


And Unbound Service still seems to be running as a process or is clearly visible in the GUI as a still running service...

And also my overrides list to my internal apps is still working, which means unbound generally works except for name resolution to the world wide web :o

In graphics this means

Code Select Expand


WWW <--DoT:853--> Unbound (DoT) <-x-BROKEN?-> Unbound (DNS) <--DNS:53-WORKS--> Lokal Clients
  |                                                      |
  -------------------- DNS:53-WORKS ----------------------


[/var/unbound/unbound.conf]

And I am back on Unbound DNS without DoT.

Disabling DNSSEC did not work, it stopped working again after a very short period of time with DoT enabled and using Quad9. I probably will try cloudflare to eliminate the fact that quad9 itself can be the issue, but I doubt it.

However it is not absolutely clear how to disable DNSSEC at all for me except from the flag under Services -> Unbound -> General -> Enable DNSSEC Support (uncheck and apply) and Services -> Unbound -> Advanced -> Harden DNSSEC Data (uncheck and apply), but I think thats it.

I have OPNsense 23.7.9 installed (latest as for now) with unbound 1.19.0. No change in issue.

My unbound config (as is configured over UI), but probably not very helpful and DoT disabled!

/var/unbound/unbound.conf

Code Select Expand


##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python iterator"
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8




# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf



python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem


Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls.

[23.7.9]

Its also worth noting, that a new OPNsense Release 23.7.9 is out now with a new Unbound Version 1.18.0 -> 1.19.0, with some bugfixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 however not finding anything related to DoT or DNSSEC in the bugs section, but I also do not know the library itself and its code, so I will give it a try and check if it will work again with DoT and DNSSEC enabled.

Yes without having these set, which leads me to believe that the problem lies there. But that's just my personal amateur opinion. If I find time, which is rare these days, I will investigate further.

Running now 7/24 without interruption.

I want to give some update about my issue as I am facing the same issue with unbound dns stopping to work randomly.

I freshly installed OPNsense 23.7 from scratch and did a configuration restore via backup restore process, after that I upgraded again to the latest Version 23.7.8. After that I switched back from Dnsmasq to Unbound DNS with DoT and DNSSEC enabled.

After aprox. 5min DNS stopped working again and after various restarts and switching from Dnsmasq and Unbound back and forth, always after some short random time DNS stopped working on Unbound DNS again.

After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.

This setup is now stable for at least 24 hours!

As a side note, before fresh install, when I was troubleshooting the issue, I can remember that I got SERVFAILS when checking with tcpdump eg.

Code Select Expand


tcpdump -v -i igb0 dst port 53  # LAN showing SERVFAILS, when DNS stopped working
tcpdump -v -i igb1 dst port 853  # WAN when DoT enabled



P.S: I have a PC-Engines APU4 Board.

P.P.S: I did a health check of the system, I did even try a check unbound config based on https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#testing-the-setup. All checks good and logs do not seem to indicate an issue, which makes this thing hard to troubleshoot.

Same happening to me when (I think i upgraded from 23.7.3 or 4 to 23.7.7_1, then 23.7.7_3) on OPNsense 23.7.7_3. After that random stopping/crashing of dns (unbound) and had to switch to Dnsmasq and add DNS Servers under Settings -> General -> DNS Servers to make my router work again.

When I remember correctly a ping works, which means it definitely looks like a DNS issue...eventually only with DoT users with DNSSec enabled or also people without it? I use DoT to quad9 (9.9.9.9 and 149.112.112.112) but not sure if this is relevant. Can someone confirm that also stops and crashes without DoT and DNSSec enabled?

No clue where to look for as It does not look like Unbound DNS throws any errors.

I also did not find a matching issue report on

• https://github.com/opnsense/core/issues
• https://github.com/NLnetLabs/unbound/issues

Another thread maybe following the same issue might be the one here: https://forum.opnsense.org/index.php?topic=35527.75

Would be realy nice to have at least a clue about the progress or what the cause could be...