Messages

Thanks for posting, fixed my issue as well!

I haven't enabled the per-network DNSBL on my end as of yet, but for those who are seeing this- are you using dynamic IPv6 prefixes?  I'm looking at the Source Nets field and I don't know how you would even configure it for e.g. IA_PD.

AFAIK, we don't (yet) have any mechanism to track those for use in form fields like this.  Am I misinformed, or is this feature presently limited to IPv4 and IPv6 networks where the prefixes are not changing?

In any case: https://github.com/opnsense/core/issues/9474

I have applied the patch for issue 9474 and can confirm the fix is working properly.

Thanks to the developers for making this change!!

Thanks for filing the issue.

In my case, all my clients are assigned only an ipv4 address for the DNS server; so no IPv6 issues here.

My thoughts are that we need to query the blocklist prior to querying the cache and blocklist results should not update the cache.  Not sure what a change like this would do to performance.

After upgrading to 25.7.8, I configured unbound's blocklist's source nets to include my LAN and IoT networks, excluding my GUEST network.  The problem is as soon as someone on the guest network does a lookup of a blocked domain, that domain's IP lookup is cached. After this, that blocked domain's IPs are served to my LAN.

Is there a solution for this?  I know I can use a different DNS server for my GUEST network. That is what I was doing before the source nets feature was added to 25.7.8.

Thanks in advance!

I believe what you are looking for is under advance mode - URL of Blocklists

I have seen the same issue with TP-Link switches and smart plugs.  They are issued a new IPV6 address about every 10 minutes.  Never saw this with ISC DHCPv6.  Also used the dnsmasq ignore option on these TP-Link devices.

Are you using the APC or NUT plugin?  I found my router shut down a couple times and tracked it down to my UPS running a self test which triggered a shutdown of the router.  Not sure why a UPS self test should ever trigger any device shutdown.

confirmed the patch resolved the issue for me as well.

Navigate to interfaces -> overview and click the WAN's search glass icon.  One of the items listed is 'Dynamic IPv6 prefix received'.  Is that what you are looking for?

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1

Patch works - thanks!!

Dnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.

Otherwise, you need this patch:

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8

With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).

Since updating to 25.1.8_1, I can no longer use an asterisk (*) to specify any domain.  Are there any workarounds?

[update]

Since updating to 25.1.6_2, unbound's 'serve expired' feature is not working for me.

I am using unbound only for DNS.

Anyone else seeing this?

update: My 'client expired response timeout' was blank - after entering a value (0 in my case), it started working.

I was experiencing the same issue. Problem cleared with a router reboot. YMMV

In case anyone is interested....

I found the keyboard setting on the ipad called 'smart punctuation'.  When enabled, the quotes are left or right leaning vs being straight quotes.  Disabling 'smart punctuation' fixes this problem.

I found this issue only occurs when editing the service test using my ipad (safari, firefox, or chrome) - works fine when editing the service test using my macbook (safari).

Hopefully this information will be useful to the developers.

And many thanks to all the developers for all your hard work!!