21.7.6 DNS DOT stopped working

[Julien]

Hi Guys,
i was happy having Dot working for couple of weeks, after i updated today, i noticed it stops working.
after some reboot it seems the dns is working but its exttremly slow.

We have Domain controller, the Domain controller dns forwarder is the OPNsense.
i've NAT the DNS to the OPNSense on the LAN side.
this configuration has been working.

but for now its stopped .

i've looked on the log but nothing really is there to see why this behaivor happens.

i appreciate any feed back.

Code Select Expand


2021-11-27T19:21:06 unbound[47763] [47763:2] debug: process_response: new external response event
2021-11-27T19:21:06 unbound[47763] [47763:6] debug: cache memory msg=269840 rrset=289047 infra=15986 val=267448
2021-11-27T19:21:06 unbound[47763] [47763:3] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
2021-11-27T19:21:06 unbound[47763] [47763:6] debug: cache memory msg=269840 rrset=289047 infra=15986 val=267448
2021-11-27T19:21:06 unbound[47763] [47763:5] info: 8RDd mod1 rep AMS-efz.ms-acdc.office.com. A IN

[Julien]

How can i reverst back to the previous version?
this has become a serious issue.

[Northguy]

Use revert via CLI

https://docs.opnsense.org/manual/opnsense_tools.html

[Julien]

i dont know the previous version yet.
unfortunately no one from the opnsense either denied or not if this release cause the DNS issue.

[KHE]

Hi,

DoT with unbound on OPNsense 21.7.6 works for me^TM  ;)

Code Select Expand

2021-11-27T19:21:06 unbound[47763] [47763:3] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
Seems like your unbound is not able to reach the server 1.0.0.1 on port 853.
Can you ping 1.0.0.1?
Do you get errors with openssl s_client -connect 1.0.0.1:853 on the OPNsense?

KH

[Julien]

Hi,

DoT with unbound on OPNsense 21.7.6 works for me^TM  ;)

Code Select Expand

2021-11-27T19:21:06 unbound[47763] [47763:3] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
Seems like your unbound is not able to reach the server 1.0.0.1 on port 853.
Can you ping 1.0.0.1?
Do you get errors with openssl s_client -connect 1.0.0.1:853 on the OPNsense?

KH

Thank you for your answer.
those are request on your WAN side, does your clients really encrypt the DNS?

[franco]

> those are request on your WAN side, does your clients really encrypt the DNS?

Clients don't magically encrypt traffic when you set DoT upstream servers in Unbound GUI.

Maybe you can start by how you enabled the DoT server on OPNsense if you want LAN traffic to be encrypted. Your setup is entirely unclear.


Cheers,
Franco

[Julien]

> those are request on your WAN side, does your clients really encrypt the DNS?

Clients don't magically encrypt traffic when you set DoT upstream servers in Unbound GUI.

Maybe you can start by how you enabled the DoT server on OPNsense if you want LAN traffic to be encrypted. Your setup is entirely unclear.


Cheers,
Franco

Client sent the DNS request to the DNS server, DNS server is using the Opnsense as it DNS server, OPNSENSe encrypt the DNS request.
isnt it the way how Dot works?
i see plenty of those request on the WAN side but the DNS is not working , i cannot seems to browse to the internt.

[KHE]

Thank you for your answer.
those are request on your WAN side, does your clients really encrypt the DNS?

I got as confused by this question as @franco it seems.
All DNS request from my clients use unbound in the end as a resolver. And unbound is using DoT for upstream. It is working without any issues for me.

i was happy having Dot working for couple of weeks, after i updated today, i noticed it stops working.
after some reboot it seems the dns is working but its exttremly slow.
...

Code Select Expand


2021-11-27T19:21:06 unbound[47763] [47763:2] debug: process_response: new external response event
2021-11-27T19:21:06 unbound[47763] [47763:6] debug: cache memory msg=269840 rrset=289047 infra=15986 val=267448
2021-11-27T19:21:06 unbound[47763] [47763:3] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
2021-11-27T19:21:06 unbound[47763] [47763:6] debug: cache memory msg=269840 rrset=289047 infra=15986 val=267448
2021-11-27T19:21:06 unbound[47763] [47763:5] info: 8RDd mod1 rep AMS-efz.ms-acdc.office.com. A IN

So unbound is telling you clearly in line 3 of your log, that it gets an tcp error reaching out to the Cloudflare DNS 1.0.0.1, one of your upstream servers. If I see an error reaching upstream, why should downstream (LANs) be of any interest? If it fails here, downstream cannot work. If you configured multiple upstream servers and one of them works, then long delays are to be expected, because at some point unbound might use the working one(s).

We cannot see how you configured your unbound. So please upload your config of Services: Unbound DNS: DNS over TLS.
We do not know if there are issues between your OPNsense and the Cloudflare DNS servers. Might be connection errors, might be certificate errors, might be config errors triggered by the update, ... . The commands I provided are just one way of trying to debug the issues.

KH

[Julien]

Thank you so much KH for your answers.

I'll share some screenshot of the configuration.
Apologies for my late response. Some health issues comes in.

[KHE]

Just as an additional note, I experimented with geoblocking and limiting access only to and from EU, USA and Canadian ip addresses. With this configuration I could no longer access the Cloudflare nameservers and even had difficulties with some other servers in the Cloudflare CDN.
Do you use GeoIP blocking? If so, this might also cause issues.

KH