Messages

Two disabled servers appeared mysteriously in the DNSCRYPT-PROXY configuration (Disabled Servers List):
"replaceAll" and "resolve"
They appeared in that field without me adding them.
"replaceAll" seemed to have appeared after I configured servers in the Relay List.

Does anybody know what these servers are and why they appear?

Here is the latest status:
I did some debugging.
First I deactivated DNSCRYPT-PROXY and activated UNBOUND instead. That did not help. So I switched back to DNSCRYPT-PROXY.
Then I noticed in the Firewall log an error saying that a FQDN in an alias could not be resolved (or something similar). So I removed that alias and emptied the Firewall log - That seemed to have solved the issue with "Auto refresh" unchecking.
Then I removed the reference to a particularly large alias I had recently added (1400 IPs) from another Alias (type "Network group") and BINGO: the reverse DNS worked again for the Firewall log.
Strangely enough, after I checked the large alias in the Network group alias again, the reverse DNS still works   ???

So I guess this is solved  8)

It is even getting weirder:
When I check "Lookup hostnames" now, "Auto refresh" unchecks!!!
I observe this with Firefox, latest version...

Hi folks.
I use reverse DNS, aka "Lookup hostnames" extensively to find out quickly if a potential attacker connected to my email server. - No FQDN=likely an attacker.

But yesterday I looked at the list and found that only the IPs at the top of the list were resolved. It looked like the backwards resolution only worked from the moment I checked "Lookup hostnames".
I tried a few times to uncheck/check that. At some point only a few IPs were resolved, it seemed random. And now NO IPs AT ALL are resolved!  :o

I use DNSCrypt-Proxy and only DNSCrypt-Proxy, for all the name resolutions and so far, for months/years, everything worked as expected:
Click "Lookup hostnames" and all the IPs in the Live View list were immediately resolved to hostnames.

I rebooted the firewall - no luck.
The DNSCrypt-Proxy or firewall logs don't seem to show anything unusual, normal domain name resolution works fine.

Any ideas?


-----------------------------------
OPNsense 22.7.6-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

Now that the "custom options" are gone for Unbound DNS since OPNsense 21.7, how do I configure Unbound DNS with DNSCRYPT-PROXY ?

It appears that the only straight way is Enable Forwarding Mode with DNSCrypt-Proxy being listed in system DNS.
Ugly and will also create madness with multiple WANs.

The only problem with that is the port. You cannot specify a port in the system settings and you cannot have 2 services listening on the same port (53).

So am I right to assume that the custom options have only disappeared from the configuration GUI but are still taken into account when entered in unbound.conf?

Now that the "custom options" are gone for Unbound DNS since OPNsense 21.7, how do I configure Unbound DNS with DNSCRYPT-PROXY ?

It is a pity nobody answered this. I experienced the same.
It happened a few times every day. I could unblock the situation by restarting unbound.
Now I do not use unbound any more and DNS lookups work all the time.

It would seem that a VPN interface was the culprit.
One that I never got to work.
Once I deactivated it, everything was back to normal (at least it looks like it so far).
So I guess something changed in the way OPNsense processes VPN interfaces after 21.1.3.

Thanks Thomas, but the updates available at the location you indicate seem to be the latest builds again.

Actually DNS works.
Pings do not.
URLs are properly resolved but connections fail.
It all worked fine in 16.1.3 but after the upgrade, now 16.1.7_1, LAN to WAN connections all fail.
I checked the LAN rules and there is a rule that allows all connections from LAN.net to all
Same as for the DMZ interface that does work.
I have two network cards on my PC. When I deactivate the LAN card and thus force the PC to go through the DMZ I can access the internet.
Any ideas as to where to look for the problem source?

Yes, very odd.
To restore internet access to the family now, I reverted back to Opnsense 21.1.3_3 and immediately everything was back to normal .
NoW the next step is to install a new, more powerful firewall.
On my first attempt I installed 21.1.6 and then restored backup that I made on the current firewall with 21.1.3.
That was almost good but I had to reinstall one or two plugins (like Dnscryopt-proxy).
But that is when I hit the internet from Lan issue first.

It was confirmed when I thought it was a good idea to upgrade my current firewall to 21.1.6.
What causes the problem is the upgrade.

Providing screenshots of my config with loads of rules might be a tad demanding.
Would a backup do it?

For now I will rest as I spent a night with no sleep trying to get to work first my new and then my current firewall.

More testing next night when the family does not need the internet ..

Thanks.
But what if I wish to install with an older version from scratch?
Like for the new firewall hardware I bought?

As I got unexplained problems after an upgrade to the latest 21.1.6 I wish to reinstall with an older image from a USB stick.

Where can I download older versions?

Thanks.

Hi.
I upgraded from 21.1.3 or so to the latest 21.1.6 and suddenly I can no longer access the Internet from the LAN.
Everything worked fine before  >:(
Has anybody experienced the same?
All the rules etc seem ok, and like I said, there were no problems before the upgrade.
So now I no longer have Internet access from my home network.  :'(

Any ideas as to how to solve this quickly would be most appreciated!

I have the same errors:
python37-3.7.10: checksum mismatch for /usr/local/lib/python3.7/__pycache__/inspect.cpython-37.pyc
python37-3.7.10: checksum mismatch for /usr/local/lib/python3.7/__pycache__/mimetypes.cpython-37.pyc
python37-3.7.10: checksum mismatch for /usr/local/lib/python3.7/__pycache__/subprocess.cpython-37.pyc
python37-3.7.10: checksum mismatch for /usr/local/lib/python3.7/__pycache__/typing.cpython-37.pyc
python37-3.7.10: checksum mismatch for /usr/local/lib/python3.7/__pycache__/zipfile.cpython-37.pyc

I am not an expert, so my questions are simple:
Is this anything I should worry about? If yes, how can/should I fix this?