Topics

1

24.1 Legacy Series / Firewall IP Aliases sporadically not being resolved

« on: January 29, 2024, 01:40:54 pm »

Hi there,

I already posted about this issue in the german sub forum but didn't get any response there, so I am reposting in the international section.

Translated from original post:

Hello dear community,

I recently set up a logging server and through this i stumbled upon the following problem:

The pf firewall randomly does not resolve FQDN firewall aliases. Milliseconds later the same name is resolved correctly:

Code: [Select]

2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
The above logs are filtered for the same Alias (even though others are affected too). The FQDN can be resolved using dig or nslookup just fine without any errors or timeouts or whatsoever.

My system is running OPNsense 23.7.12 24.1_1, the error existed already with 23.7.10 and likely even before that.

The dns server used is the local unbound service.

At System>Settings>General the following settings are *not* checked:

Code: [Select]

DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system

Does anybody here have an idea what the cause could possibly be or what I could take a more detailed look at?

Thank you in advance!

Regards,
Senten

2

German - Deutsch / Firewall Aliase mit DNS-Namen werden sporadisch nicht aufgelöst

« on: January 18, 2024, 09:10:35 am »

Hallo liebe Community,

ich habe mir kürzlich einen Logging-Server aufgesetzt und bin dadurch auf folgendes Phänomen gestoßen:

Die pf-Firewall löst sporadisch keine FW-Aliase auf Basis von FQDNs auf. Bruchteile einer Sekunde später funktioniert die Auflösung dann jedoch:

Code: [Select]

2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
Die obigen Log-Zeilen beziehen sich alle auf den selben FW-Alias und der angefragte FQDN ist korrekt.
Wenn ich betroffene Namen per dig manuell auflöse, kommt es niemals zu einem Timeout oder sonstigen Fehler.

Mein System läuft auf OPNsense 23.7.12, der Fehler bestand aber definitiv bereits mit 23.7.10 und vermutlich auch davor schon.

Zur DNS-Auflösung wird der lokale Unbound-Dienst verwendet.

Unter System>Settings>General sind die folgenden Optionen *nicht* aktiv:

Code: [Select]

DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system
Hat jemand eine Idee woran das liegen kann oder was ich mir genauer ansehen könnte?

Vielen Dank!

Grüße,
Senten

Edit: Rechtschreibkorrektur

3

23.1 Legacy Series / DNS server advertisemenet via DHCP not using interface ip address anymor

« on: April 24, 2023, 11:27:31 am »

Hi there,

I have updated my opnsense from 23.1.5 to 23.1.6(-amd64) yesterday and after that the DHCP service advertised the globally configured system dns-servers (public ones) instead of the interface ip addresses, as it used to be.

I am running AdGuardHome as the main DNS service and unbound as forwarder with a few local overrides. That means  after the update clients can resolve public names but not the ones i only use locally.

As a result I now have to manually set the interface ip addresses as the dns servers in the DHCP configuration, which i used to leave blank. In order to be able to do that for IPv6 I now have to additionally configure virtual fd00 IP aliases, which I do not need for anything else an actually would like to deconfigure again as soon as possible.

I tried rolling back a snapshot of 23.1.5 and this version does not have the problem.

Is this a bug or expected behavior? I read about some changes regarding bind hooks in the changelog but as I am not running bind I suppose that does not affect me?

Regards and thanks in advance,
Senten