Messages

Is there any reason I want to use forwarders vs root servers?  I can understand forwarders would be necessary if I wanted to use a filtering service like OpenDNS, but failing that aren't all DNS servers designed to use root hints?

Designed to use root is different from whether or not you should use root.  If everyone used the root servers it would overwhelm them.  That's why caching forwarders exist.

In your case, Unbound is attempting to contact IPv6 root servers and that's why you're having resolution failures.

This behavior seems like a bug if the system and Unbound are both configured to not use IPv6.  Do you know where this should be reported?

What do you have under DNS server options on the General page?

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Not DNS servers.  DNS server options.  The section below where the DNS servers are entered.

Nothing checked there.

That's what I figured.  Right now you have Unbound operating in resolve mode which hits the root servers.  I assume you want it to be working in forwarding mode and using 1.1.1.1 and 8.8.8.8.

On Services: Unbound DNS: Query Forwarding check the Use System Nameservers checkbox.  If you prefer to use DoT, you can set that instead but then I'd recommend removing the entries from the General tab.

Is there any reason I want to use forwarders vs root servers?  I can understand forwarders would be necessary if I wanted to use a filtering service like OpenDNS, but failing that aren't all DNS servers designed to use root hints?

What do you have under DNS server options on the General page?

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Not DNS servers.  DNS server options.  The section below where the DNS servers are entered.

Nothing checked there.

What do you have under DNS server options on the General page?

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Is IPv6 disabled on your WAN?
What do you have for your DNS settings on System: Settings: General?
Do you have any entries under Services: Unbound DNS: Query Forwarding or Services: Unbound DNS: DNS over TLS?


As a side note, enabling IPv6 just for unbound can be handy as resolvers return both v4 and v6 records.  It's the only v6 traffic I currently have on my network.

Yes IPv6 is completely disabled on all interfaces.

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Nothing under Unbound DNS > Query Forwarding or DNS over TLS

I don't know if plays a part but check: System > Settings > General > Networking | " Prefer to use IPv4 even if IPv6 is available "
maybe ?

Unfortunately I'm still seeing the same behavior with this setting enabled.  Any other thoughts?

I enabled it and will see if it helps.

I started using opnsense about a month ago and like the title says, I've noticed on a handful of occasions the unbound resolver will periodically fail to resolve some hostnames.

There are almost universally sites that I visit infrequently. When I try using nslookup to manually query the unbound resolver running on opnsense for the hostname I'll get a 'server failed' error, but the opnsense resolver will continue to resolve other hostnames with no problem. After a few minutes the problem seems to go away and the previously unresolvable hostname works as expected.

This has happened with several different large websites, so I don't think this is an issue on the website's end.

Running 24.1.1 in a pretty vanilla configuration on an N100 micro PC.

After enabling unbound logging, I initially saw logs like this:

Code Select Expand

2024-03-04T21:23:04-05:00 Error unbound [66128:3] error: SERVFAIL <link.ablink.hardrockgames.com. AAAA IN>: exceeded the maximum number of sends

2024-03-04T21:23:04-05:00 Error unbound [66128:0] error: SERVFAIL <link.ablink.hardrockgames.com. A IN>: exceeded the maximum number of sends

2024-03-04T21:23:04-05:00 Error unbound [66128:1] error: SERVFAIL <link.ablink.hardrockgames.com. AAAA IN>: exceeded the maximum number of sends

2024-03-04T21:23:04-05:00 Error unbound [66128:2] error: SERVFAIL <link.ablink.hardrockgames.com. A IN>: exceeded the maximum number of sends

2024-03-04T21:22:54-05:00 Error unbound [66128:1] error: SERVFAIL <catalog.gamepass.com. A IN>: exceeded the maximum number of sends

2024-03-04T21:22:47-05:00 Error unbound [66128:3] error: SERVFAIL <push.prod.netflix.com. A IN>: exceeded the maximum number of sends

2024-03-04T21:22:44-05:00 Error unbound [66128:3] error: SERVFAIL <mn04-lobby-gate.mattel163.com. HTTPS IN>: exceeded the maximum number of sends

2024-03-04T21:22:44-05:00 Error unbound [66128:0] error: SERVFAIL <mn04-lobby-gate.mattel163.com. A IN>: exceeded the maximum number of sends

2024-03-04T21:22:43-05:00 Error unbound [66128:3] error: SERVFAIL <tc-log.mattel163.com. A IN>: exceeded the maximum number of sends

After cranking the verbosity up, I was seeing things like this:

Code Select Expand

2024-03-05T12:45:51-05:00 Error unbound [6767:1] error: udp connect failed: No route to host for 2001:502:7094::30 port 53 (len 28)

It looks like unbound is trying to use IPv6 for some reason, even though IPv6 is disabled on all my opnsense interfaces.

Any suggestions on how I can troubleshoot this issue?