Messages

[What commands should I run to check unbound service status and start it?]

It's fine for me to switch to Unbound. What commands should I run to check unbound service status and start it?

What seems strange to me is that, for example, if I change the IP address of a hostname in the unbound configuration, I expect that a ping to this hostname will return the new IP, but this does not happen...

How do you check from the terminal?

root@gw:~ # service dnsmasq status
dnsmasq is not running.

root@gw:~ # service unbound status
unbound is not running.

I exported and re-imported the modified config.xml file.

After rebooting the OPNSense WebUI shows Unbound running and DnsMsq stopped, but ...

- checking from the terminal: both are stopped!

- I ping a hostname from a PC and it respond, so name resolution seems to work somehow ...

- but any changes made from the WebUI have no effect: I can change the override settings for the hosts or start/stop Unbound/DnsMaq ... nothing happens

It seems that the WebUI fro this two services is totally disconnected from the operating system settings.

What do you suggest I try?

Yeah if you do that change and reboot dnsmasq should not start anymore, but unbound will.

I'll try tonight. It's still strange that:
- I can't even edit the port on which to run DNSMASQ
- the WebUI doesn't detect the status of the services after I stopped/started them and disabled/enabled them from the terminal

Is it possible to uninstall or at least reset DNSMSQ?

There is no simple way to reset a model from the GUI yet, so you would have to download the config.xml file from "System - Configuration - Backups", search for the dnsmasq section and e.g. change the enabled from 1 to 0 and then restore that.

Replacing DNSMASQ with UNBOUND should be enough with these changes, right?

Code Select Expand

    <unboundplus version="1.0.12">
      <general>
        <enabled>1</enabled>

and:

Code Select Expand

        <enable>0</enable>
  </dnsmasq>


Can you tell me if there are any errors in "System: Log Files: Backend".
Search for "template", set to "Error", set timeframe to "Last week".

no errors

Please upload your pictures to the forum. This is only possible via "Reply", not with "Quick Reply". Your pictures do not load any many people do not trust external hosting sites, either.

Thank you very much :)

I tried to stop DNSMASQ and start UNBOUND from the terminal:
opnsense_dns_1.PNG

WebUI says DNSMASQ is active but stopped:
opnsense_dns_2.PNG
opnsense_dns_3.PNG
opnsense_dns_4.PNG

Apparently from WebUI it is not possible to edit services settings. Could it be some r/w permission problem for configuration files?

I'm going to check ... In the meantime, I'll report some checks I've done now. (see my post below ...)

Since I can't disable or modify DnsMasq from WebUI, can you tell me which are the terminal commands to disable and reset DnsMasq and which to enable/run Unbond?

Thanks again for your help.

Thanks @Cedrik

Here are the logs files: today and yesterday, after the upgrade. These are the ones from yesterday that seem more relevant to me:

Code Select Expand

<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="1"] started, version 2.90 cachesize 10000
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="2"] compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect no-inotify dumpfile
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="3"] LOUD WARNING: listening on <my pub IP>.198 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="4"] LOUD WARNING: listening on <my pub IP>.197 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="5"] LOUD WARNING: listening on <my pub IP>.196 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="6"] LOUD WARNING: listening on <my pub IP>.195 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="7"] LOUD WARNING: listening on <my pub IP>.194 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="8"] LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="9"] reading /etc/resolv.conf
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="10"] ignoring nameserver 127.0.0.1 - local interface
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="11"] using nameserver 1.1.1.1#53
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="12"] using nameserver 8.8.8.8#53


[DnsMasq service is stopped]

I upgraded OPNSense from 24.x to 25.1.6.

After rebooting, the DnsMasq service is stopped and the only way to start it is from command line. This is the situation:

From terminal, via ssh:
- command service dnsmasq onestart correctly starts the service and DNS works (but after a reboot the service goes back to being stopped)

From WebUI:
- it is not possible to start the service (but logs do not show any message ...)
- it is not possible to deactivate the service (or rather: it automatically reactivate when I try to start Unbound service)
- it is not possible to change the service port (53)


I would like to thank anyone who can help me solve this problem.

Versions:
OPNsense 25.1.6_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16

Ho associato al server OpenVPN un'interfaccia (vpnSmartwork) per la quale ho creato una regola del firewall che permette l'accesso alla LAN impostando come sorgente l'alias della relativa subnet (vpnSmartwork NET), ma in questo modo non funziona e il traffico viene bloccato.
Per risolvere ho dovuto impostare come sorgente "Single Host or network" e quindi specificare la subnet in notazione CIDR (10.10.9.0/24).

Vorrei capire perché succede questo.

Allego screenshot delle regole impostate e dei log eseguendo un ping dal client. Grazie.