Messages

Dunno what Unbound's problem is, I have a fairly straightforward setup

In Services > Unbound > Query Forwarding, I have 192.168.1.24 port 5353 enabled which is my DNS resolver.

Randomly today I could not get onto aliexpress.com, my browser said it couldn't resolve the address.  I opened my terminal, and 'nslookup' also failed with SERVFAIL.  However I then typed dig address.com @192.168.1.24 -p5353 and it worked INSTANTLY. 

Tried dig @192.168.1.1 and it failed.

Where is the massive desynchronization going on here?  Why is OPNsense and Unbound reporting SERVFAIL when it very clearly is working just fine via dig?

Which OPNsense  or Unbound version are you running?

I think I've run into the same problem on OPNsense 25.1.7
https://forum.opnsense.org/index.php?topic=47965.0

[LAN interface capture conducted on OPNSense:]

Versions
OPNsense 25.1.7_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16


I updated to 25.1.7 last week without any problems. However, this morning, began getting a lot of NXDOMAIN errors in browsers.
nslookup from clients to my OPNSense's LAN IP confirmed OPNsense not responding to queries. nslookup for the same domains, to other DNS servers worked fine.
I rebooted the OPNSense system and the problem went away for a few hours.

When the problem returned, I restarted the Unbound service. This resolved the problem for less than an hour.  I restarted Unbound several more times, only for the SERVFAILs to soon return within minutes.


Here are some examples of Unbound logs I grabbed:
2025-07-15T11:13:22-07:00    Error    unbound    [10659:0] error: SERVFAIL <s.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:09:30-07:00    Error    unbound    [10659:0] error: SERVFAIL <s.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:02:12-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T11:02:12-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:01:34-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T11:01:34-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T10:38:27-07:00    Error    unbound    [75546:0] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T10:38:27-07:00    Error    unbound    [75546:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends


2025-07-15T22:08:39-07:00    Error    unbound    [24263:1] error: SERVFAIL <datarouter.ol.epicgames.com. A IN>: exceeded the maximum nameserver nxdomains   
2025-07-15T22:05:44-07:00    Error    unbound    [58101:1] error: SERVFAIL <sentry.goquiq.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T22:05:44-07:00    Error    unbound    [58101:1] error: SERVFAIL <sentry.goquiq.com. A IN>: exceeded the maximum number of sends   
2025-07-15T22:05:43-07:00    Error    unbound    [58101:1] error: SERVFAIL <o293668.ingest.sentry.io. HTTPS IN>: exceeded the maximum nameserver nxdomains   
2025-07-15T22:05:43-07:00    Error    unbound    [58101:1] error: SERVFAIL <ping.chartbeat.net. A IN>: exceeded the maximum number of sends


===========================================================================
LAN interface capture conducted on OPNSense:
No.    Time    Source    Destination    Protocol    Length    Info
135    20:43:52.447220    192.168.1.104    192.168.1.2    DNS    75    Standard query 0xf167 A www.youtube.com
136    20:43:52.602864    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0xf167 Server failure A www.youtube.com
137    20:43:52.613299    192.168.1.104    192.168.1.2    DNS    75    Standard query 0xf167 A www.youtube.com
138    20:43:52.614067    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0xf167 Server failure A www.youtube.com
139    20:43:52.624176    192.168.1.104    192.168.1.2    DNS    75    Standard query 0x6ddf A www.youtube.com
140    20:43:52.625145    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0x6ddf Server failure A www.youtube.com
utube.com
Destination    No.    Time    Source    Protocol    Length    Info
192.168.1.2    976    20:44:08.158536    192.168.1.104    DNS    72    Standard query 0x3faf A www.dell.com
192.168.1.104    977    20:44:08.162718    192.168.1.2    DNS    72    Standard query response 0x3faf Server failure A www.dell.com
192.168.1.2    978    20:44:08.165670    192.168.1.104    DNS    72    Standard query 0x3faf A www.dell.com
192.168.1.104    979    20:44:08.168277    192.168.1.2    DNS    72    Standard query response 0x3faf Server failure A www.dell.com
192.168.1.2    982    20:44:08.182625    192.168.1.104    DNS    72    Standard query 0x23a1 A www.dell.com
192.168.1.2    983    20:44:08.182984    192.168.1.104    DNS    72    Standard query 0xa140 HTTPS www.dell.com
192.168.1.104    985    20:44:08.183844    192.168.1.2    DNS    72    Standard query response 0x23a1 Server failure A www.dell.com
192.168.1.2    989    20:44:08.186721    192.168.1.104    DNS    72    Standard query 0x8fc0 A www.dell.com
192.168.1.104    991    20:44:08.187376    192.168.1.2    DNS    72    Standard query response 0x8fc0 Server failure A www.dell.com
192.168.1.104    994    20:44:08.189024    192.168.1.2    DNS    72    Standard query response 0xa140 Server failure HTTPS www.dell.com

^^ (client: 192.168.1.104, OPNSense LAN interface: 192.168.1.2)



WAN interface capture conducted on OPNSense:
No.    Time    Source    Destination    Protocol    Length    Info
126    20:43:52.448786 my_public_ip    216.239.38.10    DNS    86    Standard query 0xc14f A www.youtube.com OPT
127    20:43:52.448869    my_public_ip    216.239.38.10    DNS    86    Standard query 0xc14f A www.youtube.com OPT
128    20:43:52.514597    216.239.38.10    my_public_ip    DNS    248    Standard query response 0xc14f A www.youtube.com CNAME youtube-ui.l.google.com A 142.250.69.174 A 142.251.33.78 A 142.250.217.78 A 142.250.217.110 A 142.251.215.238 A 142.250.73.78 A 142.250.73.110 A 142.250.73.142 OPT

(nothing appeared on WAN side, when client was querying for www.dell.com)

(note: I realize the timestamps in the packet captures and logs don't match up, that was my mistake..I'm tired.)

I rolled back to the following snapshot 1 hour ago, and problem has not returned.
OPNsense 25.1.5_5-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
(Unbound 1.22.0_1)

My Realtek NICs have been working great for the past 2 months. Make sure the os-realtek-re plugin/package is installed.

If you want to prevent the NVR from reaching the internet, create a block rule...

I don't understand why people choose to have such complicated setups. Why the pihole? Are the blacklists in Unbound inadequate?

That aside...use tcpdump to inspect the DNS traffic. Can you see the query request leaving OPNSense?

Checked Unbound logs?
Also, when problem occurs, run tcpdump (interface > Diagnostics > Packet Capture). Do you see DNS queries arriving from your clients?
If not, did your clients lose their DNS server address?

I'm running 24.1.10_3-amd64, no problems here.

If you have SSH open from outside, you're doing something wrong.
And, as PerpetualNewbie mentioned, this vulnerability is not exactly simple to exploit.

If it's restarting unexpectedly, I don't understand how that would be you second-guessing yourself.
What errors do you find in the logs, just prior to the system restarting itself? (look back through the system log)

If you have a Windows PC at home, here are some more useful troubleshooting tools:
https://www.clouddirect.net/knowledge-base/KB0011455/using-traceroute-ping-mtr-and-pathping

Similar tools also available on Linux/Mac