Fresh install - DNS Not working.

[TomT]

Hi.
I've moved from pfSense and everything seems to be working fine except DNS.

The firewall is on 192.168.1.1

I've got Unbound DNS enabled and configured as:
Network Interfaces: LAN, OPT1, OPT2, WAN_PIAWG
DNSSEC: enabled
IPv6 Link-Local: enabled
Local Zone Type: transparent
Outgoing Network Interfaces: WAN

In unbounds access list there is an entry for 192.168.1.1/24

My PC has it's DNS set as: 192.168.1.1 & 1.1.1.1

On the PC if I do: 

Code Select Expand

nslookup bbc.co.uk 1.1.1.1 or

Code Select Expand

nslookup bbc.co.uk 8.8.8.8 
I get the expected responses.

If I do

Code Select Expand

nslookup bbc.co.uk 192.168.1.1 I get:
;; connection timed out; no servers could be reached

At the command prompt on the firewall I can ping bbc.co.uk

Can anyone point me in the right direction to get this working correctly.

Thanks

[TomT]

Just found I can't ping 192.168.1.1 from other devices in the 192.168.1.x range which is probably not helping..
However I can access the opnsense Web GUI and SSH on .1.1 from .1.5

I have the default LAN Net rule configured, so I can't see why this is being blocked.

Any ideas ?
Thanks

[TomT]

Hi.

My default allow LAN to any rule is:

Protocol: IPv4
Source: LAN Net
Port: *
Destination: *
Port: *
Gateway: WAN_PPPOE

Should that allow DNS ?

Thanks

[opnfwb]

A couple of things here. First, the PC should be set to just use OPNsense for DNS. If the PC is configured for OPNsense and 1.1.1.1, this will cause some lookups to end up routed to cloudflare and bypassing OPNsense, which will make troubleshooting even more difficult. This also makes local lookups on the network impossible as cloudflare won't know about those and won't resolve them.

The rest of the config looks like it has been modified. I would try resetting back to a more default state. The "Allow LAN to any IPv4" rule should have the Gateway set to *.

Unbound Network Interfaces and Unbound Outgoing Network interfaces should be set to "all".

Start there and see if you can get DNS lookups working. If so, start making settings changes until it breaks again and that will pinpoint the main issue. If you have other Unbound custom options defined, those could also be causing some complications.

[TomT]

Thanks. I'll try this and see how I get on.

[Maurice]

My default allow LAN to any rule is:

Protocol: IPv4
Source: LAN Net
Port: *
Destination: *
Port: *
Gateway: WAN_PPPOE

Should that allow DNS ?

No, that sends everything to the WAN gateway, including DNS requests and pings which should go to OPNsense itself. The reason you can still reach the Web GUI and SSH is the default anti-lockout rule (which has higher priority).
The gateway should be left as 'default' unless you have a specific use case which requires policy-based routing.

Cheers

Maurice

[TomT]

Thanks.
I'm hoping to get time to test this tonight.

I've got 2 issues I need to resolve before I can go live.. this is one of them.

I'll post back how I get on.

[TomT]

Thanks this is working now :)