[SOLVED] Unbound not responding?

[danb35]

tl;dr: Unbound doesn't appear to be responding properly to DNS queries, though DNSmasq does.  I suspect it's related to my multi-WAN setup, but I haven't been able to figure out where.

I'm running OPNsense 22.1.10; I was seeing the same behavior under 22.1.9.

Unbound won't respond to queries via dig; I get the same result using the shell on the OPNsense box itself or via a remote client:

Code: [Select]

root@opnsense:~ # dig @localhost google.com

; <<>> DiG 9.18.4 <<>> @localhost google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2147
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Fri Jul 08 04:33:05 EDT 2022
;; MSG SIZE  rcvd: 39


Code: [Select]

✘ dan@Dan-Mac-Mini-2  ~  dig @192.168.1.1 google.com

; <<>> DiG 9.10.6 <<>> @192.168.1.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3653
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jul 08 04:32:37 EDT 2022
;; MSG SIZE  rcvd: 39
But when I do a DNS lookup through the web UI (Interfaces/Diagnostics/DNS Lookup), I do get a result.

The background is a little confusing, but since the problem seemed to start when I plugged in my main WAN connection, I'll try to explain as clearly as I can.

I have three Internet connections available: Cable (with a static IP) for the primary, Starlink (in bridge mode) for secondary, and cellular is third.  I'm setting up this system to replace a pfSense box, so I was trying to configure everything (or at least as much as possible) under OPNsense before moving my main home Internet connection to it.

So, initially, I put Starlink on the main WAN connection (using DHCP), and the cellular modem on WAN2 (also using DHCP), and then proceeded to set up WAN failover following https://docs.opnsense.org/manual/multiwan.html#wan-failover.  This appeared to work--I didn't actually test the failover functionality, but I had Internet access through the router, and no apparent problems with Unbound.

But realizing that my main Internet connection didn't use DHCP, I disconnected the cellular modem, moved Starlink to WAN2, and configured WAN for my static IP, leaving WAN disconnected.  This required reconfiguration of the gateway list, since there wasn't a WAN_DHCP gateway any more.  This also appeared to work; Internet access continued to be available, and Unbound continued to respond to queries as normal.

Yesterday afternoon, thinking I had everything preconfigured that I was going to be able to, I plugged my cable modem into WAN, and LAN into my switch.  And at that point, Unbound stopped working.  When I turned it off and turned on DNSmasq, it worked (and continues to work) just fine, and Internet access works well, but with Unbound enabled it no longer seems to be able to resolve DNS queries.

I've tried checking log files, but I don't see anything logged anywhere that's associated with the failing queries.  Where else should I be looking?

[danb35]

Whatever it might be, it has nothing to do with my multi-WAN setup.  Figuring there might be something misconfigured there or elsewhere, I decided to reinstall from scratch and try again.   Booted it up and configured the WAN and LAN interfaces from the console menu. Then logged into the web UI and stepped through the wizard. It defaults to using Unbound, so didn’t change that. Entered DNS servers of 1.1.1.1 and 1.0.0.1, set an appropriate time zone, and left literally everything else at defaults. Installed the update to 22.1.10 and rebooted.

Result: my client computer can’t resolve google.com. So I tried in the web UI (Interfaces/Diagnostics/DNS Lookup). And it resolves google.com just fine–but from 1.1.1.1, not from the local Unbound instance.

So I SSH’d into the OPNsense box. And after determining that neither dig nor nslookup was installed, used host:

Code: [Select]

root@opnsense:~ # host google.com localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:

Host google.com not found: 2(SERVFAIL)

I’ve installed nothing else, I’ve configured nothing else–it’s the stock distro with the defaults across the board. And DNS resolution just isn’t working.

[danb35]

I've found the control in the UI to turn up the log level for Unbound, and does it ever!  At level 4, a single query generates around 1300 lines' worth of logs.  But I think grep has found the problem:

Code: [Select]

dan@Dan-MBP-2013  ~/Downloads  grep error unbound_log.txt
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11066"] [77014:0] error: udp connect failed: No route to host for 2001:503:ba3e::2:30 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11110"] [77014:0] error: udp connect failed: No route to host for 2001:500:2d::d port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11150"] [77014:0] error: udp connect failed: No route to host for 2001:500:2d::d port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11188"] [77014:0] error: udp connect failed: No route to host for 2001:500:1::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11228"] [77014:0] error: udp connect failed: No route to host for 2001:500:9f::42 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11337"] [77014:0] error: udp connect failed: No route to host for 2001:7fe::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11377"] [77014:0] error: udp connect failed: No route to host for 2001:500:12::d0d port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11417"] [77014:0] error: udp connect failed: No route to host for 2001:500:a8::e port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11453"] [77014:0] error: udp connect failed: No route to host for 2001:503:ba3e::2:30 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11611"] [77014:0] error: udp connect failed: No route to host for 2001:500:9f::42 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11684"] [77014:0] error: udp connect failed: No route to host for 2001:500:2f::f port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11756"] [77014:0] error: udp connect failed: No route to host for 2001:7fd::1 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11795"] [77014:0] error: udp connect failed: No route to host for 2001:500:1::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11833"] [77014:0] error: udp connect failed: No route to host for 2001:500:a8::e port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="11872"] [77014:0] error: udp connect failed: No route to host for 2001:dc3::35 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12111"] [77014:0] error: udp connect failed: No route to host for 2001:500:2f::f port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12188"] [77014:0] error: udp connect failed: No route to host for 2001:500:1::53 port 53 (len 28)
<27>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12225"] [77014:0] error: udp connect failed: No route to host for 2001:500:12::d0d port 53 (len 28)
<31>1 2022-07-09T10:44:36-04:00 opnsense.familybrown.org unbound 77014 - [meta sequenceId="12310"] [77014:0] debug: return error response SERVFAIL
Strange--I don't have an IPv6 address, and I don't think I've told OPNsense to use IPv6.  Maybe there's a control I've missed.

Edit: I do see system / settings / general / prefer to use ipv4, but that's checked already.

Edit 2: Interesting.  If I go to Services/Unbound DNS/General, click the button for Advanced, and set Outgoing Network Interfaces to WAN (rather than the default of All), it starts working.  Curious.

[danb35]

So that was apparently the answer--set Unbound's outgoing interface to WAN rather than all.  It seems that with that set to all, Unbound expects to be able to communicate over IPv6, which it can't do, and therefore fails.  A couple of things that didn't work, without setting the interface to WAN:

• Explicitly disabling IPv6 on LAN.  It defaulted to "track interface," whatever that means; I'd suspected that explicitly disabling IPv6 on this interface (as it already was on WAN) might result in Unbound realizing that it can't communicate over IPv6 and reverting to IPv4.  It didn't seem to change anything.
• Enabling DHCP6 on WAN.  I don't use IPv6 (I have a static IPv4 address), but my ISP will give me an IPv6 address if I ask for it.  But enabling this also didn't have Unbound working.

What I still don't understand is why pfSense worked--as far as I can tell, it has all the same buttons, switches, and knobs, and it uses most of the same underlying software.  And my pfSense box was set to "all" for the outbound interface, and it worked fine.  So I'm not sure why the difference is there, but it's working, so good enough at least for now.

[Patrick M. Hausen]

If you are interested and willing to trust me in this - I'd love to have UI and SSH access to that box for an hour or two. I don't have any installation without IPv6, so I cannot reproduce that.

"Track interface" means "get an IPv6 prefix from ISP on WAN and configure a matching address on the LAN interface".

[Kwolfe19]

I have a very similar problem and this solution above "fixed" it for me. The twist on my problem is that I also could not get DNS resolution to work in the UI. DNS resolution from all of my client computers is fine, but the router could not resolve anything. I wonder if a recent update to Unbound changed some behavior.

[random1104]

So that was apparently the answer--set Unbound's outgoing interface to WAN rather than all.  It seems that with that set to all, Unbound expects to be able to communicate over IPv6, which it can't do, and therefore fails.  A couple of things that didn't work, without setting the interface to WAN:

• Explicitly disabling IPv6 on LAN.  It defaulted to "track interface," whatever that means; I'd suspected that explicitly disabling IPv6 on this interface (as it already was on WAN) might result in Unbound realizing that it can't communicate over IPv6 and reverting to IPv4.  It didn't seem to change anything.
• Enabling DHCP6 on WAN.  I don't use IPv6 (I have a static IPv4 address), but my ISP will give me an IPv6 address if I ask for it.  But enabling this also didn't have Unbound working.

What I still don't understand is why pfSense worked--as far as I can tell, it has all the same buttons, switches, and knobs, and it uses most of the same underlying software.  And my pfSense box was set to "all" for the outbound interface, and it worked fine.  So I'm not sure why the difference is there, but it's working, so good enough at least for now.

what would happen if you have local forwarding (other DNS servers resolving internal domains), and you use different interfaces to reach them. Would that be broken with "outgoing = WAN"?