Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Seattle2k

Pages1
#1
General Discussion / Re: Need Help blocking a Kid from P2P
December 04, 2025, 07:37:21 PM
I haven't used the IPS features. If it's filtering based on header or body content, it will not be able to see that, if the stream is encrypted. You would need a solution that's able to block based on DNS or TLS certificate's Common Name.

Have you tried Zenarmor? It's "App Controls > File Transfer" section might work. I Zenarmor and Unbound's blocklists to do my filtering at home.
#2
25.1, 25.4 Series / Re: Unbound DNS randomly stops resolving for clients even though manual dig works
July 18, 2025, 12:09:12 AM
Quote from: frozen on July 08, 2025, 04:14:36 PMDunno what Unbound's problem is, I have a fairly straightforward setup

In Services > Unbound > Query Forwarding, I have 192.168.1.24 port 5353 enabled which is my DNS resolver.

Randomly today I could not get onto aliexpress.com, my browser said it couldn't resolve the address.  I opened my terminal, and 'nslookup' also failed with SERVFAIL.  However I then typed dig address.com @192.168.1.24 -p5353 and it worked INSTANTLY. 

Tried dig @192.168.1.1 and it failed.

Where is the massive desynchronization going on here?  Why is OPNsense and Unbound reporting SERVFAIL when it very clearly is working just fine via dig?

Which OPNsense  or Unbound version are you running?

I think I've run into the same problem on OPNsense 25.1.7
https://forum.opnsense.org/index.php?topic=47965.0
#3
25.1, 25.4 Series / 25.1.7_4-amd64 - Unbound DNS started responding SERVFAIL to clients.
July 16, 2025, 08:19:28 AM
Versions
OPNsense 25.1.7_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16


I updated to 25.1.7 last week without any problems. However, this morning, began getting a lot of NXDOMAIN errors in browsers.
nslookup from clients to my OPNSense's LAN IP confirmed OPNsense not responding to queries. nslookup for the same domains, to other DNS servers worked fine.
I rebooted the OPNSense system and the problem went away for a few hours.

When the problem returned, I restarted the Unbound service. This resolved the problem for less than an hour.  I restarted Unbound several more times, only for the SERVFAILs to soon return within minutes.


Here are some examples of Unbound logs I grabbed:
2025-07-15T11:13:22-07:00    Error    unbound    [10659:0] error: SERVFAIL <s.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:09:30-07:00    Error    unbound    [10659:0] error: SERVFAIL <s.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:02:12-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T11:02:12-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:01:34-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T11:01:34-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T10:38:27-07:00    Error    unbound    [75546:0] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T10:38:27-07:00    Error    unbound    [75546:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends


2025-07-15T22:08:39-07:00    Error    unbound    [24263:1] error: SERVFAIL <datarouter.ol.epicgames.com. A IN>: exceeded the maximum nameserver nxdomains   
2025-07-15T22:05:44-07:00    Error    unbound    [58101:1] error: SERVFAIL <sentry.goquiq.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T22:05:44-07:00    Error    unbound    [58101:1] error: SERVFAIL <sentry.goquiq.com. A IN>: exceeded the maximum number of sends   
2025-07-15T22:05:43-07:00    Error    unbound    [58101:1] error: SERVFAIL <o293668.ingest.sentry.io. HTTPS IN>: exceeded the maximum nameserver nxdomains   
2025-07-15T22:05:43-07:00    Error    unbound    [58101:1] error: SERVFAIL <ping.chartbeat.net. A IN>: exceeded the maximum number of sends


===========================================================================
LAN interface capture conducted on OPNSense:
No.    Time    Source    Destination    Protocol    Length    Info
135    20:43:52.447220    192.168.1.104    192.168.1.2    DNS    75    Standard query 0xf167 A www.youtube.com
136    20:43:52.602864    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0xf167 Server failure A www.youtube.com
137    20:43:52.613299    192.168.1.104    192.168.1.2    DNS    75    Standard query 0xf167 A www.youtube.com
138    20:43:52.614067    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0xf167 Server failure A www.youtube.com
139    20:43:52.624176    192.168.1.104    192.168.1.2    DNS    75    Standard query 0x6ddf A www.youtube.com
140    20:43:52.625145    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0x6ddf Server failure A www.youtube.com
utube.com
Destination    No.    Time    Source    Protocol    Length    Info
192.168.1.2    976    20:44:08.158536    192.168.1.104    DNS    72    Standard query 0x3faf A www.dell.com
192.168.1.104    977    20:44:08.162718    192.168.1.2    DNS    72    Standard query response 0x3faf Server failure A www.dell.com
192.168.1.2    978    20:44:08.165670    192.168.1.104    DNS    72    Standard query 0x3faf A www.dell.com
192.168.1.104    979    20:44:08.168277    192.168.1.2    DNS    72    Standard query response 0x3faf Server failure A www.dell.com
192.168.1.2    982    20:44:08.182625    192.168.1.104    DNS    72    Standard query 0x23a1 A www.dell.com
192.168.1.2    983    20:44:08.182984    192.168.1.104    DNS    72    Standard query 0xa140 HTTPS www.dell.com
192.168.1.104    985    20:44:08.183844    192.168.1.2    DNS    72    Standard query response 0x23a1 Server failure A www.dell.com
192.168.1.2    989    20:44:08.186721    192.168.1.104    DNS    72    Standard query 0x8fc0 A www.dell.com
192.168.1.104    991    20:44:08.187376    192.168.1.2    DNS    72    Standard query response 0x8fc0 Server failure A www.dell.com
192.168.1.104    994    20:44:08.189024    192.168.1.2    DNS    72    Standard query response 0xa140 Server failure HTTPS www.dell.com

^^ (client: 192.168.1.104, OPNSense LAN interface: 192.168.1.2)



WAN interface capture conducted on OPNSense:
No.    Time    Source    Destination    Protocol    Length    Info
126    20:43:52.448786 my_public_ip    216.239.38.10    DNS    86    Standard query 0xc14f A www.youtube.com OPT
127    20:43:52.448869    my_public_ip    216.239.38.10    DNS    86    Standard query 0xc14f A www.youtube.com OPT
128    20:43:52.514597    216.239.38.10    my_public_ip    DNS    248    Standard query response 0xc14f A www.youtube.com CNAME youtube-ui.l.google.com A 142.250.69.174 A 142.251.33.78 A 142.250.217.78 A 142.250.217.110 A 142.251.215.238 A 142.250.73.78 A 142.250.73.110 A 142.250.73.142 OPT

(nothing appeared on WAN side, when client was querying for www.dell.com)

(note: I realize the timestamps in the packet captures and logs don't match up, that was my mistake..I'm tired.)

I rolled back to the following snapshot 1 hour ago, and problem has not returned.
OPNsense 25.1.5_5-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
(Unbound 1.22.0_1)
#4
General Discussion / Re: Issues with NICs
September 17, 2024, 09:44:52 PM
My Realtek NICs have been working great for the past 2 months. Make sure the os-realtek-re plugin/package is installed.
#5
General Discussion / Re: How can I keep my security camera setup off line and still acces it locally
September 17, 2024, 09:40:14 PM
If you want to prevent the NVR from reaching the internet, create a block rule...
#6
General Discussion / Re: Unbound timeout when resolving marlinfw.org
August 09, 2024, 05:37:26 PM
I don't understand why people choose to have such complicated setups. Why the pihole? Are the blacklists in Unbound inadequate?

That aside...use tcpdump to inspect the DNS traffic. Can you see the query request leaving OPNSense?
#7
24.1, 24.4 Legacy Series / Re: unbound dns not resolve
July 23, 2024, 11:12:40 PM
Checked Unbound logs?
Also, when problem occurs, run tcpdump (interface > Diagnostics > Packet Capture). Do you see DNS queries arriving from your clients?
If not, did your clients lose their DNS server address?

I'm running 24.1.10_3-amd64, no problems here.

#8
24.7, 24.10 Legacy Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387
July 02, 2024, 05:35:21 PM
If you have SSH open from outside, you're doing something wrong.
And, as PerpetualNewbie mentioned, this vulnerability is not exactly simple to exploit.
#9
24.1, 24.4 Legacy Series / Re: Frequent crashes
June 25, 2024, 10:34:11 PM
If it's restarting unexpectedly, I don't understand how that would be you second-guessing yourself.
What errors do you find in the logs, just prior to the system restarting itself? (look back through the system log)
#10
24.1, 24.4 Legacy Series / Re: Packet Loss and Stability help
June 25, 2024, 10:31:13 PM
If you have a Windows PC at home, here are some more useful troubleshooting tools:
https://www.clouddirect.net/knowledge-base/KB0011455/using-traceroute-ping-mtr-and-pathping

Similar tools also available on Linux/Mac
Pages1