How to Configure DNS in Opnsense With Unbound and W/Unbound

[mush2020]

Thanks again,
Now i'm testing by not using DOT in Unbound and let AGH handle.
So in AGH upsptream DNS server should i remove 192.168.50.254:8383 or add only DOT of my choice or both i.e.
tls://family.cloudflare-dns.com:853
192.168.50.254:8383
With dnsleak shows cloudflare as well as my ISP Why? or is it i have set it up wrongly.
Also i tested parental control enabled, again Internet down.

[KHE]

And here comes the browser settings into play again.
Let me guess, you used Firefox to test with dnsleak? Why I guess so? Firefox is using DoH. Standard for Firefox is to use cloudflare-dns.com aka 1.1.1.1 if you do not change the setting.

To force Firefox not to use DoH in the standard setting, just add the domain use-application-dns.net to the rewrites in AGH and point it to NXDOMAIN. If somebody sets the DoH manually and activates it, then Firefox will use DoH again.

In Chrome/Edge/Chromium the setting is called secure DNS. And these browsers ignore the use-application-dns.net trick. Chrome by the way uses the Goggle DNS servers obviously.

I set up my AGH to use the upstream servers via DoT/DoH directly. You can also use DoQ and DNScrypt here.
To get still all my local dns settings I added an upstream entry for my home domain. The entry has to look like the following: [/home.example.com/]192.168.50.254:8383. Then the Unbound will be used for lookups from home.example.com and the other servers for the rest.

KH

[cookiemonster]

mush2020 I'm struggling to follow the flow you want to have. Draw a basic flow leaving the basics only and get them working before adding variables like parental controls, etc.
Is ADG installed on the OPN device (so ports need to not conflict) or different host. I'll show you mine:
dhcp clients --> AGH on OPN : 53  --> Unbound on OPN : 5353  --> Stubby on OPN : 853 --> DoT resolvers on internet.

There are settings on each part that matter but you see that dns queries from lan clients go without having to change them to AGH on normal port. They get their setting from OPN DHCPv4 service when they request an ip lease.
Then AGH receives them and blocks ad domains, what is good for, and I don't use parental controls there, I suggest to enable it only when the normal flow is working. AGH then sends the non-filtered queries upstream to Unbound on a different port because they're on the same machine. Then Unbound sends them upstream to a stub resolver for DoT that is configured with the resolvers I want it to use and operate on DoT on port 853.
You don't have to use Stubby, so your last bit of configuration is on Unbound. There you could define your DoT resolvers and your flow is complete.

As KHE said this is "normal" DNS traffic on port 53. To deal with the rest like clients not respecting normal dns on port 53, is step 2. Be aware there are two cases: DoT and DoH depending on the client (machine making the outbound request). Different approach and DoH is something we might have to live with for the moment.

[mush2020]

Is ADG installed on the OPN device (so ports need to not conflict) or different host. I'll show you mine:
dhcp clients --> AGH on OPN : 53  --> Unbound on OPN : 5353  --> Stubby on OPN : 853 --> DoT resolvers on internet.

I have similar flow, except Stuby I have Unbound.
In Opnsense
System|Settings|Genernal DNS Servers are Blank
Uncheckd   
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the local DNS service as a nameserver for this system

In Unbound
Listen Port:8383
Network Interfaces: All
Enable DNSSEC Support=Unchecked
Register DHCP leases=Checked
Register DHCP static mappings=Checked
DNS over TLS= Cleanbrowsing DOT over 853 added, but Disabled


In AGH
Listing port 53

Under Genernal Settings
Block domains using filters and host file=Checked
Use safe search=Checked

Under Upstream DNS servers
tls://dns-family.adguard.com:853
[/fw.mydomain.com/]192.168.50.254:8383

Parallel request=selected

Bootstrap DNS servers
192.168.50.254:8383

Private reverse DNS servers
Blank

use private rDNS resolver = Checked
enable reverse resolving of client's IP address=Checked


Under Setup Guide All these are listed
Configure your devices
To start using AdGuard Home, you need to configure your devices to use it.
AdGuard Home DNS server is listening on the following addresses:
192.168.50.254 (Opnsense LAN)
192.168.8.200 ( Opnsense WAN)
192.168.10.254 (Opnsense WiFi physical Interface connected to AP)
::1
127.0.0.1
https://fw.mydomain.com/dns-query
tls://fw.mydomain.com.com:853
quic://fw.mydomain.com.com:784

Under Encryption Setting
Enable Encrption=Checked with Cert Status Valid

With all these settings everything works fine.

Now the problem starts if i enable
Use Adguard browsing web service
Use Adguard parental control web service
Both or either enabled DNS request Timed Out occurs.

I cannot understand why these options enabled causing DNS issue.

[cookiemonster]

I can't tell without knowing what I asked for like same machine or not, etc but from what you wrote I see this flow:

client  --> AGH:53  --> external=adguard.com:853
                         internal=Unbound:8383     --> ?

what is unclear to me is where is Unbound looking for external resolvers to send the queries to.

Now the problem starts if i enable
Use Adguard browsing web service
Use Adguard parental control web service
Both or either enabled DNS request Timed Out occurs.

I can't tell but I can't tell how the basic flow is working at the moment either.
What does this do?

Under Upstream DNS servers
tls://dns-family.adguard.com:853
[/fw.mydomain.com/]192.168.50.254:8383

[KHE]

Hi,

I can't tell but I can't tell how the basic flow is working at the moment either.
What does this do?

Under Upstream DNS servers
tls://dns-family.adguard.com:853
[/fw.mydomain.com/]192.168.50.254:8383

[/fw.mydomain.com/]192.168.50.254:8383:
This tells AGH to send queries for *.fw.mydomain.com and fw.mydomain.com to unbound at 192.168.50.254:8383

and all other queries go to tls://dns-family.adguard.com:853.

Look here in the documentation wiki.

KH

[cookiemonster]

thanks for that.
So still, where's Unbound sending the queries to?
this bit:
 internal=Unbound:8383     --> ?

[KHE]

It depends on the setting of Enable Forwarding Mode in Services: Unbound DNS: General which we do not know.
If unchecked, nowhere. I am not sure if unbound starts whit that setting.
If checked to 127.0.0.1:53 which is in the resolve.conf so AGH. Not sure what happens in this case if you try to resolve a non-existing entry in the fw.mydomain.com.

KH

[mush2020]

If Unbound is disabled completely then how DNS resolutions happen in Opnsense.
The only option i assume will work is having DNS entries in System|Settings|General
I will have to throw query to AG support or see in forum, if anyone has similar issue.

I want to know one think can AGH work without Unbound? if Yes then, what are the settings and ports to be used.

[mush2020]

I have tried nslookup and got the following results. Basically i wanted to check if resolution is happening for domains that points to  parent control and safe browsing feature.
As per result one of domains is Non-existent domain

Connected to ISP router Directly

PS C:\Users\user1> nslookup
Default Server:  homerouter.cpe
Address:  192.168.8.1

> family-block.dns.adguard.com
Server:  homerouter.cpe
Address:  192.168.8.1

Non-authoritative answer:
Name:    family-block.dns.adguard.com
Address:  176.103.130.135

> standard-block.dns.adguard.com
Server:  homerouter.cpe
Address:  192.168.8.1

Non-authoritative answer:
Name:    standard-block.dns.adguard.com
Address:  176.103.130.133

> family-block.dns.adguard.com
Server:  homerouter.cpe
Address:  192.168.8.1

Connected to WiFi via Opnsense

PS C:\Users\user1> nslookup
Default Server:  fw.mydomain.com
Address:  192.168.10.254

> family-block.dns.adguard.com
Server:  fw.mydomain.com
Address:  192.168.10.254

*** fw.mydomain.com can't find family-block.dns.adguard.com: Non-existent domain
> standard-block.dns.adguard.com
Server:  fw.mydomain.com
Address:  192.168.10.254

Non-authoritative answer:
Name:    standard-block.dns.adguard.com
Address:  176.103.130.133

[KHE]

Hi

If Unbound is disabled completely then how DNS resolutions happen in Opnsense.
The only option i assume will work is having DNS entries in System|Settings|General

Ok, still assuming AGH is running on port 53 and all interfaces then it is used, then AGH and all the others you added in System:Settings:General. If there are none, only AGH. If you look at your /etc/resolve.conf, then there is always the following entry:
nameserver 127.0.0.1

I will have to throw query to AG support or see in forum, if anyone has similar issue.

I want to know one think can AGH work without Unbound? if Yes then, what are the settings and ports to be used.

If you remove the unbound from the upstream, the only thing you loose is the access to the DHCP entries and overrides from unbound. If you have still configured the adguard DNS server as upstream.

For not being able to resolve, when the options in AGH are activated, the AG support & forum are the better places I think.

KH

[mush2020]

I just did a clean re-install of AGH
Now settings are

In Opnsense
Added 127.0.0.1 with no GW in System | General | DNS Server

Unbound
Listen port is 53 (default)
Network Interfaces: All
Enable DNSSEC Support=Unchecked
Register DHCP leases=Checked
Register DHCP static mappings=Checked
DNS over TLS= Removed all
Custom Options:
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@5353

In AGH
Listing port:5353

Under General Settings
Block domains using filters and host file=Checked
Use safe search=Checked

Under Upstream DNS servers
tls://dns-family.adguard.com

Parallel request=selected

Bootstrap DNS servers
94.140.14.14
94.140.15.15

Private reverse DNS servers
Blank

use private rDNS resolver = Checked
enable reverse resolving of client's IP address=Checked


Under Encryption Setting
Enable Encrption=Checked with Cert Status Valid

With above setting I'm getting the same issue by enabling parental control.
Now in Top Clients i see only 127.0.0.1
What i need to do to see all the clients instead?
I could see clients with hostnames in Client Setting| Client Runtime, but not on dashboard.

[mush2020]

Can anyone help here to see this github link below
https://github.com/AdguardTeam/AdGuardHome/issues/2657
I'm not sure what is the exact issue and how it has resolved as per github.
Can anyone forward to the developer of this AGH plugin for Opnsense