Messages

It does - and I do not see any latency issues with DNSbench.

BTW: your other post is misleading: The ISP actually can see what site you are accessing - and they do not even need you to use unencrypted DNS: Almost any website today uses TLS, but there still is SNI, so unless the website has ESNI or ECH, the name of the site still goes unencrypted, even if the target IP is not a dead giveaway in itself.

That is the reason why modern browsers do ECH and DoT/DoH by default. You do not need to configure that on your firewall.

You can check for all of that here: https://www.cloudflare.com/de-de/ssl/encrypted-sni/

You absolutely right! It is a shame that ECH isnt better implemented though.
From my understanding ech is somewhat implemented into DNSCrypt. Ofc very few have implemented it server side as well. Making it mostly useless for now?

But i still stand by what i said with ubound being slow.

OP you should test these sites as well:
https://cmdns.dev.dns-oarc.net/
https://dnscheck.tools/ 

You can still use Unbound for local resolution if you use DoT for outside access - there is no need for an additional resolver.

Yes ofc, but i do not recommend that. I tried it on many environments. And all is suffering bad performance, high latency. Not even sure it actually does what it supposed to?

I realized i didnt answer all you questions.

my ISP not to spy on me and see what im doing

Well unless you use tor or a vpn that is impossible.
But DoH seems safer in my eyes, but DoT should be just as secure.
Either way all you isp would see is ip, ports, time and packagetype. Not even what if you went to facebook.com. But they might know that Facebook use 1.2.3.4 ip so that is a giveaway. But they cant really see much more. Time as in when you went there. Ofc how long.

Not to go into debate, but only you trust you vpn provider. Who says they dont do the same?

Download the plugin called os-dnscrypt-proxy and setup that, i recommend go to unbound and Query Forwarding to dnscrypt, that way you can still use unbound for local dns and to use its filter or blocklists.

I noticed that dnscrypt is so fast using doh.

You probably want a transparent filtering bridge:

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

Would that still allow me to have an Lan1, Lan2 and wan with failover to that wan that is bridge?

[Hi there!]

Hi there!

I wondering if it's possible to have statically assigned wan on one nic (as usual) (This would hypothetically be my second wan) But to not complicate stuff. One wan in and the second nic would simply pass that wan over. The second nic would be connected to a router that has that static ip set already. It is a fairly big network but old and we don't want to touch it for now.

Basically opnsense would become a firewall for another router.

Any other suggestions would be helpful too 🙌🏼

Yea that was what i was thinking!


Anyways, this seems to go kind of deep. I feel like there been problems with unbound from as early as 2022. Reading forum right now and this can be interesting to read. https://forum.opnsense.org/index.php?topic=35527.msg181074#msg181074

Really would want to sort this out

I think that jus how it is, however for me, the /lib dir was full before i restarted it. Not a couple of hours after it seems fine. Idk..

Code Select Expand

root@opnsense:~ # df -h
Filesystem                  Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs              23G     11G     10G    52%    /
devfs                       1.0K    1.0K      0B   100%    /dev
/dev/gpt/efifs              256M    1.7M    254M     1%    /boot/efi
devfs                       1.0K    1.0K      0B   100%    /var/dhcpd/dev
devfs                       1.0K    1.0K      0B   100%    /var/unbound/dev
/usr/local/lib/python3.9     23G     11G     10G    52%    /var/unbound/usr/local/lib/python3.9
/lib                         23G     11G     10G    52%    /var/unbound/lib

EDIT: I noticed it from the gui on the dashboard first. Lib was full and Unbound was not on.

Also seeing this, my filesystem was also full, had to restart unbound dns. This is not the first day i had problems. Ever since OPNsense 24.1.5_1 i gotten issues. Also this is very fresh build!!!

Running in a proxmox vm if that makes any difference?

OPNsense 24.1.5_3-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13

Code Select Expand

2024-04-14T17:16:52 Error opnsense /usr/local/sbin/pluginctl: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: /var/unbound/lib: not a file system root directory'
2024-04-14T17:16:52 Error opnsense /usr/local/sbin/pluginctl: The command '/bin/kill -'TERM' '29609''(pid:/var/run/unbound.pid) returned exit code '1', the output was 'kill: 29609: No such process'
2024-04-14T17:16:52 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (execute task : unbound_configure_do(1))
2024-04-14T17:16:52 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (1)
2024-04-14T17:16:51 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_stop (execute task : unbound_service_stop(1))
2024-04-14T17:16:51 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_stop (1)