Messages

So additional testing...

1. If I set the DNS ip address 1.1.1.1 on any device, I no longer have this issue
2. I updated the upstream dns server on adguard to "tls://one.one.one.one" and that seems to resolve the issue as well

So it's unbound it looks like and unclear why it's doing any level of blocking if I don't have anything enabled?

I have Adguard pointing to Unbound as an upstream server on...

192.168.10.1:65353

And Adguard running on port 53 on the same device as opnsense

With that said, I just noticed the Unbound reporting page. Why would it have a top blocked lists using some block list if I don't have it enabled with any block lists?

So I have opnsense updated to latest firmware...

1. Use adguard as DNS
2. Have it pointing to Unbound as a private reverse DNS server
3. I have no blocklists in Unbound. I just have DNS over TLS servers

If I disable adguard protection. It's still blocked. Same goes with a lot of redirect links. Browser doesn't matter. If I go off my network, I have 0 issues accessing the same things.

And since updating to the latest firmware / updates on opnsense...

1. Adguard keeps complaining it can't update
2. All my docker containers on Unraid no longer can do version checks and some updates timeout / fail

I'm not sure about those two but at the very least I'd like to know what could be blocking access to some websites and redirects.

Ah got it. I was using nginx for reverse proxy but then was having similar issues with timeout. Thought going this route for now seemed easier but something with my setup is causing the names to not resolve correctly

Ah I thought it might make sense to tie it to my domain as well since I will eventually be doing the same for local ssl in my dockers.

So I installed the cert and I'm still getting the same issue. Attachment is showing the cert in trusted root.

Is there something else to it? Do I have to access using "opnsense.localdomain"? That doesn't work either though.

Hmm. Not the response I was expecting.

I think the point of it is to not see a page showing accessing the gui is not secure but you're saying this is preferred behavior ?

If I disable DNS rebind checks, it doesn't time out. Should this be disabled?

It still isn't able to do name resolution, though.

On adguard, I see it get processed...

Code Select Expand


Status
Processed
DNS server
192.168.1.1:65353
Served from cache
Elapsed
0.04 ms
Response code
NOERROR


but getting ...
"This site can't be reached router.mydomain.com's server IP address could not be found."
in Chrome

So failing at Unbound?

So...

1. I've set up the ACME client to get and auto renew the Lets Encrypt cert
2. I changed in Admin settings to use the cert

I am unable to access the website by the name

1. I have Adguard setup which has Unbound DNS as the upstream server - meaning Adguard on port 53 and Unbound on port 65353. This is working without issue

2. I can add DNS rewrites in Adguard to opnsense web gui - that works

3. I can access the router via IP - all devices are on LAN interface as I haven't gotten around to playing with VLANs.

Not sure what could be the issue?

I followed this guide...

https://homenetworkguy.com/how-to/replace-opnsense-web-ui-self-signed-certificate-with-lets-encrypt/

Which makes the process seem easy so not sure what could be going on. Guessing it has something to do with Adguard / Unbound setup but not 100% sure. I do know I have failed to do similarly via Traefik and nginx - always hit a timeout when trying to access by name.

The service is running...

Code Select Expand


admin@router:~ # upsc -l
cyberpower


And I have a port forward as shown below which was following this...

https://forum.opnsense.org/index.php?topic=19992.0

But still nothing is able to connect. Anyone know what might be going on? When I check the logs I don't see any errors.

@cookiemonster

I actually got it working last night!

A few things...

I deleted Adguard and added it back in case I had messed with anything. After doing that...

1. I had forgotten about the option to set Adguard as `Primary DNS server`. I enabled that. Not sure if that helps. Also not sure when that option was introduced but it was never mentioned in this thread so I didn't think to go back to the adguard page to enable it.
2. I noticed that the bind address in the Adguard yaml was set to 0.0.0.0. I previously had it as the router ip. Not sure why I changed it but left it as default. Port was always 53 though
3. I followed this guide instead which seemed more comprehensive in general...

https://windgate.net/setup-adguard-home-opnsense-adblocker/

I am not sure what any of the four was the reason but yeah finally working. I recommend the guide above to others that are looking to set Adguard to 53 and unbound another port.

lol it seemed like it would be necessary to do so for some other change.

anyway, I cannot get this to work :/ Not sure what I'm missing but the logs aren't helpful (or if any).

I usually work on things remotely since i'm not always home - hard to tell right now if there is something off with vpn or home as well.

for wireguard vpn, it's just adding the dns ip of 10.10.10.1? I have that but still no luck. The only thing that works for me is having Unbound set to port 53 (and following the guide I linked to previously)

Hey @andyd, did you check that you can send DNS request to <opnsense_IP>:5353 ?

Something like "host example.com <opnsense_IP>:5353" from a linux box.

Does this work?

btw, I disagree a bit with @yeraycito's recommendation of using port 5353. It's the default port for mDNS, I see an unnecessary risk for conflict, I use 53530 for example.

I'm going to try again later in the week but I'll try again. I suspect that I need to restart the router for the changes to really apply as the lesson I learnt this morning when I was trying to revert back to what I had.

In regards to 5353, yep! I read elsewhere that the port shouldn't be used.

Anyone know how I can check what is the issue with my setup?

I have followed yeraycito's post and DNS ceases to work. The only configuration that seems to work for me is...

https://0x2142.com/how-to-set-up-adguard-on-opnsense/

But I want AdGuard to be on 53 and Unbound on some other port.

If I test upstream server in Adguard, that works so I figure there is some communication happening between Adguard and Unbound.

But I don't understand why there is no DNS resolution. I can access internal services by IP no problem so it's just the DNS resolution that isn't working

Should I be seeing my laptop and mobile clients under listed clients?

It seems like DNS queries are going up as I am on VPN but it could just be dockers I have running on my server.

When I check the client list, I don't see any vpn IPs like 10.0.0.14 - just all 192.168.10.x which is my LAN range. What should I expect?

I saw this...
https://forum.opnsense.org/index.php?topic=22409.0
And after following the steps I see no difference