Help with DNS (Currently trying to use Unbound DNS)

[Verxion]

I'm having a LOT of trouble doing what feels like it should be incredibly simple...

I've got all my home lab devices pointed to my OPNsense server for DHCP, as their gateway, and their DNS.

...they all get IPs (I have them each set up with static assignment in DHCPv4), they all end up with the OPNsense server IP for DNS... but NONE of them can resolve hosts.

If I ssh into the OPNsense server itself, then I can resolve hosts just fine, including any manually defined local aliases (I specify them in Overrides), but none of the DHCP clients can resolve IPs from hostnames.

I'm really struggling with how to get this resolved.... Here are the pertinent bits of configuration:

Systems->Settings->General->DNS Servers is set with 8.8.8.8 (WAN1_GW) and 8.8.4.4 (WAN2_GW)

Services->DHCPv4->LAN->DNS has OPNsense IP address

DHCP enabled for LAN interface, all potential clients have static assignment based on MAC address

Unbound DNS enabled items:
  Register DHCP Leases
  Register DHCP Static Mappings
  Flush DNS Cache during reload

Again - IP resolution is working from OPNsense server but not from ANY DHCP client.

Thanks so much for any help anyone can provide!!  :)

-Verxion

[Patrick M. Hausen]

Did you change the default "allow all" firewall rule on LAN in any way?

[Verxion]

I did.  I followed the steps in this video:

https://youtu.be/CcXYiFj9mBA?si=oofB_qGx566OsQKc

-Verxion

[Patrick M. Hausen]

Please post what your rule(s) on LAN look like. I am not going to watch that video.

[Verxion]

IPv4 TCP/UDP * * {FW IP} 53(DNS) * *
LAN * * * LB_GW *

-Verxion

P.S. THANK YOU for your help - I truly appreciate it!!!

[Patrick M. Hausen]

And that IP address you stroke out is the LAN IP address of your OPNsense?

Why are you doing this? Your internal IP addresses are in no way security relevant information.

[Verxion]

Yes, it is (as I had written in the post above) the FW IP.

I was doing it because of that video that I linked.  From what I'd read, it is there to allow any DHCP client to make (over TCP/UDP) their DNS (over port 53) requests from the OPNSense box....

-Verxion

[Patrick M. Hausen]

You are using Unbound as your resolver on OPNsense? Did you change the listen interfaces? Don't. "All (recommended)" is the recommended setting for a reason.

If that does not help I would start using dig or nslookup on some client while running a packet trace on the firewall ...

[newsense]

In the video the guy only works with IPs, so if you followed his steps and did nothing else then there's no upstream resolver defined on Unbound.

Either set up something in DNS over TLS section or make sure Services: Unbound DNS: Query Forwarding has  Use System Nameservers checked.

If none of the above are true - meaning you've set up some upstreams in one of those sections already - then you still need to answer Patrick's questions

[CJ]

In the video the guy only works with IPs, so if you followed his steps and did nothing else then there's no upstream resolver defined on Unbound.

Either set up something in DNS over TLS section or make sure Services: Unbound DNS: Query Forwarding has  Use System Nameservers checked.

If none of the above are true - meaning you've set up some upstreams in one of those sections already - then you still need to answer Patrick's questions

IIRC, you shouldn't need to do either of those, in which case Unbound will default to recursive resolution using the DNS root servers.

Disclaimer, I also did not watch the video and I agree that configuring DoT is a good practice.