Topics - Netlearn

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - Netlearn

Pages1

26.1, 26,4 Series / Unbound Query Forwarding .internal domains working intermittently

February 23, 2026, 09:46:18 PM

Hi all:

I'm having a weird behavior in Unbound in one of the five firewalls I manage.

There are a Wireguard VPN between two of them that works perfectly. I have configured several "Query Forwardings" to resolve the remote .internal domains, for example:

On SiteA:

SiteB.internal > 192.168.30.254

On SiteB:

SiteA.internal > 172.26.0.254

Also, in "Services > Unbound > Advanced > Private Domains", all the internal domains are configured.

Everything works as expected in all firewalls (Unbounds), except one. When Unbound is restarted, it works. After a while (some minutes) it stops making the forwarding and sends the query to the root servers, where it obviously fails.

All the Unbounds are configured as recursive. There are no DNS servers in "System > Settings > General > DNS servers"

Made some traffic captures (domain redacted). I don't know where to go from here to find more clues.

After rebooting Unbound:

Code Select

drill host.mydomain.internal @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37658
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; host.mydomain.internal.  IN      A

;; ANSWER SECTION:
host.mydomain.internal.     3189    IN      A       192.168.31.124

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Feb 23 21:23:44 2026
;; MSG SIZE  rcvd: 52

Code Select

tcpdump -ni wg1 host 172.26.0.254 and port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg1, link-type NULL (BSD loopback), snapshot length 262144 bytes
21:16:53.076588 IP 10.30.172.2.16968 > 172.26.0.254.53: 19515+ [1au] A? host.mydomain.internal. (47)
21:16:53.094071 IP 172.26.0.254.53 > 10.30.172.2.16968: 19515* 1/0/1 A 192.168.31.124 (63)

When it's failing:

Code Select

drill host.mydomain.internal @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 15877
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; host.mydomain.internal.  IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       3115    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2026022301 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Feb 23 21:15:57 2026
;; MSG SIZE  rcvd: 111

Code Select

tcpdump -ni wg1 host 172.26.0.254 and port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg1, link-type NULL (BSD loopback), snapshot length 262144 bytes

General Discussion / [SOLVED] Feature request: Option to deny DHCP leases to unknown clients in Kea GUI

February 15, 2026, 08:25:19 PM

Hello,

I would like to propose a feature request regarding the Kea DHCP implementation in OPNsense.

Currently, while Kea itself supports configurations where only clients with defined reservations are allowed to receive leases, there is no exposed option in the OPNsense GUI to enforce this behavior (i.e., effectively "deny unknown clients" as in the deprecated ISC).

This request is not based from a security perspective, but thinking of an additional control layer, ensuring that only explicitly defined hosts receive IP addresses.

For example, if I bring a new device to my network and the MAC is not shown, I can connect it and find it before the device could access the internet or even the local network. This allows me to put the relevant rules on it, allowing or denying what the new device can do beforehand. This is my main use case, but I'm sure there is a lot more.

Having an explicit GUI option such as "Allow only clients with reservations" or "Deny unknown DHCP clients" would improve clarity, usability, and feature parity with both legacy ISC DHCP behavior and Kea's native capabilities.

Maybe, this could be implemented as an advanced option, disabled by default, to preserve current behavior and avoid impacting existing deployments.

Not sure how an Issue has to be opened in Github or if this question deserves one, not very familiar with the way it should be done, sorry.

General Discussion / Unbound with no upstream DNS

August 07, 2025, 11:50:04 PM

Hi all!

I recently moved 4 otherSense installs to OPNsense and added one more. Then I discovered this awsome forum and found a lot of interesting info and details about a lot of things about OPNsense and even networking.

I read this and then this one.

@Patrick M. Hausen says,

QuoteUnbound is a perfectly capable recursive DNS server that does not need any upstream.

so I removed the upstream servers in System > Settings > General and made sure "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked. My clients are either manual IP or reserved DHCP with only the OPNsense as DNS, have rules to block outbound traffic to port 53 and allow 53 on "This firewall" only. It just works as I supposed, according to Patrick's explanations.

Is this the way of having Unbound to do all the job described in the second link?

Pages1