Messages

[In any event, how do I force applications with hard-coded DNS addresses to go through specific DNS servers (in my case: pi-hole no. 1 & pi-hole no. 2, if the first one is down) without firewall rules?]

In any event, how do I force applications with hard-coded DNS addresses to go through specific DNS servers (in my case: pi-hole no. 1 & pi-hole no. 2, if the first one is down) without firewall rules? And if I need firewall rules for that, how do I set FW rules to redirect DNS queries to one of the two DNS servers (whichever is up)?

Thank you again!

You can try this: https://labzilla.io/blog/force-dns-pihole (it is actually mostly NAT)

Also if you run more than 1 pihole consider gravity sync or other syncing utilities.

Try turning on the Prefer IPv4 over IPv6 under Settings -> System -> General

From your log where it was trying to update.. it seems to resolve ipv4 DNs but failed at ipv6 ips.

Try changing your ntp servers.

Pick one from here: https://www.ntppool.org/en/

Change that... restart the service and try ntptime via commandline and see if it returns something sensible.

ssh into your opnsense router and run shutdown -p now?

Turn Velop to Bridge mode. It will essentially turn it into just an AP.

There are a lot of variables.. what blocking lists have you installed? Unbound? Suricata / Snort? Unfortunately it is one of those open ended, no right answer type questions.

Best way is probably to disable all the blacklists and enable them one by one.

A systematic way is to run Wireshark for the app in question and see what goes through / not by seeing if the sites in question is sending back ACK.

Opnsense is just a hardenedbsd variant.. if you really want.. install xorg, then install xfce (or any windows manager that you want).. to start just startx

Just remember to check which video card you have, as the list of supported cards is limited unless you can live with 1024x768 or lower.

Os build from source takes a long time (also depending on your computer hardware).. make sure you do make clean between your runs especially if you had kill the process manually.

You would likely to have better luck trying with pfsense (which is FreeBSD based) and parent fork of Opensense vs Opnsense.

Or just do debugging on a linux firewall instead of a FreeBSD one.

First your opnsense is not resolving DNS correctly. (hence no address record error)

so make sure /etc/resolv.conf has something like name server entry like Quad9 or Cloudflare in there.

Second it is vim-console for vim, also make sure to use sudo if you are not root.

Any chance of manually installing it?

You can always install ipsec-tools via commandline to setup the server, just like any BSD system.

It is safe to delete "if it is no longer needed".

If you want to keep using DNSBL then you have to use unencrypted DNS, unbound can't read encrypted requests.

You can setup your outbound to be full recursive to there is no need to use other forwarders?

Whitelisting on the Blacklist Section.

OK. Now we are talking about two different things. I was not talking about the DNSBL function of the unbund plugin. My issue is related to to another server using DNBS and as DNS server my opnsense box with unbound plugin and DoT to a big anycast resolver.

My question is if I can define expeditions for unbound not to use the DoT connection for certain addresses and resolve these addressed by its own.

Port 500 is usually for IPSEC.. if you are using OpenVPN you shouldn't need it.

Not sure what the the one rule to port 500 does, but yes looks correct (I have set it other way around; specific IPs go to WAN, others to VPN). I would maybe specific LAN to go to WAN_DHCP, not to * - but I just like to keep things tidy.

It depends on your router's CPU and how much RAM it has. But since DNS requests are usually small, it shouldn't have too big of an impact in speed.