[closed] Unbound fails to contact root servers? 26.1.7_1

[passeri]

update: Further testing has not reproduced the following so I have marked the topic closed. Cause of the original issue is unknown.

After upgrading to 26.1.7_1 from 26.1.6_2 I found I could no longer resolve DNS names although connectivity was otherwise fine for cached names or for direct IP addresses. Incoming mail to our server also arrived normally during this time.

I added quad9 in System->Settings->General then ticked Override in Services->Unbound->Query forwarding, after which names resolved normally. Switching back to no override stopped it again.

Currently I am functional with the override in place, wondering whether this is a product glitch or something more I need to follow up here?

[lmoore]

I added quad9 in System->Settings->General then ticked Override in Services->Unbound->Query forwarding, after which names resolved normally. Switching back to no override stopped it again.

Interesting. In my environment I've restricted access to DNS servers, and currently only allow select systems access to the Quad9 DNS servers which perform threat-blocking with DNSSEC.

On my test system, setting the DNS server in System -> Settings -> General -> DNS Servers to 127.0.0.1, Unbound is attempting to connect to the root servers - this is what you are expecting.

What is your setting for System -> Settings -> General -> DNS server options -> Allow DNS server list to be overridden by DHCP/PPP on WAN?

I've attempted to configure Unbound to forward all other zones, i.e., not local, to an upstream DNS server but this doesn't seem possible in OPNsense - I'll need to do further reading.

In short, I can't set a forward zone of "." to an upstream DNS server such as Quad9.

I'll reconfigure my production firewall to allow the tests system unrestricted external access for DNS and verify if it can resolve queries using the root servers.

[Edit] Missed the update from the original poster - I'll move on.

[passeri]

What is your setting for System -> Settings -> General -> DNS server options -> Allow DNS server list to be overridden by DHCP/PPP on WAN?

No override.

Yes, my intention was to make the connections to root servers, as Unbound defaults.

configure Unbound to forward all other zones, i.e., not local, to an upstream DNS server but this doesn't seem possible in OPNsense

I am not sure what you mean by this. In my network there is effectively a couple of layers such that the 'green' zone is firewalled from the rest independently from the fact the Opnsense edge router distinguishes three zones in its rules. The internal router caches (as do computers) and addresses all new DNS enquiries directly to the edge Opnsense, where Unbound listens on all interfaces and sends its queries to root servers. Is this the general idea you were discussing?

[lmoore]

I tested enabling the options Use System Nameserver under Query Forwarding and DNS over TLS and reviewed the Unbound configuration files. These options will create the forward-zone for "." and point to the name servers listed in System -> Settings -> General.

Quad9 have a set up guide for various OS's to forward queries to them using DoT. The "full help" for the above options in OPNsense clearly state DoT will never be used for queries to system nameservers.

[passeri]

Nor is it used to visit root servers (my case) which are not part of or listed in system nameservers. Given the addresses to which you finally connect are visible to an ISP, not to mention at the site itself, and I have a static IP, I do not consider DoT to provide any privacy of interest.