No Unbound replies on new interface

Started by chemlud, October 03, 2023, 07:23:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 03, 2023, 07:23:02 PM Last Edit: October 03, 2023, 07:32:34 PM by chemlud
Hi!

Installed a fresh 23.7, all up-to-date and imported my working config for DNS-over-TLS with unbound. All fine.

I configured a new interface, DHCP works, set up firewall rules (including block to HTPPS of opnsense and allowing ipv4 UDP to port 53 of opnsense) and added the new interface to unbound in the GUI and applied. Rebooted. According to resolve.conf on the only host attached to the new interface, the DNS ist set to the interface address of the opnsense.

With package capture on port 53 of the new opnsense interface I see the requests of the host, but there is no reply at all from unbound.

With "inspect" on the FW-rules page of the new interface I see no evaluation of the FW-rule allowing UDP to port 53 of the opnsense?!?! The only rule hit is the first on the page, no matter which rule this is...


Any ideas?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
October 04, 2023, 12:25:09 AM #1
Check in Unbound settings if it's listening on the new interface
October 04, 2023, 08:40:49 AM #2
Quote...and added the new interface to unbound in the GUI and applied. Rebooted. ...

So: Yes...

But there is no reply.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
October 04, 2023, 09:27:52 AM #3 Last Edit: October 04, 2023, 09:40:33 AM by chemlud
As I wrote above: Apparently only the first FW-rules get's evaluated, so I moved the "allow ipv4 UDP to SERVER address (Interface of opnsense for the new network) port 53" rule to the first position. And started "apt update" on the client attached to this interface. No resolution of repo names on the client. But according to "Inspect" on FW-Tab the first rule (allow DNS to sense) gets evaluated some hundred times, but 0 (zero) States, Packages, Bytes going back and forth.

What is going on here? This should be absolutely basic stuff, I have never seen something like that in over 10 years of *sense....

PS: Although NTP is also allowed on this new interface (to specific server), it apparently doesn't work either. So: not a problem with unbound, but pf?

Disables "Static ARP" (why?) and rebooted. Traffic started flowing...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
October 04, 2023, 02:57:33 PM #4
Are you asking why disabling Static ARP makes things work or why it was checked in the first place?
October 05, 2023, 02:52:07 PM #5
neither. I use static ARP on nearly all interfaces and usually it works. No idea why disabling and enabling it afterwards made it work this time for the new interface...

Solved anyway.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages1
User actions