[WORKAROUND] opnsense 24.7.2 Unbound forwarding to private server riddle

[mifi42]

Do you see a log message "parse error on reply packet"? If not, it'd have to be eDNS, I think?

Indeed I'd perhaps start with making unbound use TCP only.

I seem to remember vaguely that I have seen such a setting, but I cannot find it at the moment. Unbound currently is sending an receiving UDP packets.

As for the "parse error on reply packet": I do not see that.
I am seeing "parse error on response packet".
I am also seeing that Unbound detects that the 'ned' server is EDNS capable.

m

[doktornotor]

Code: [Select]

server:
do-udp: no

IIRC. Read the man page.

[mifi42]

Code: [Select]

server:
do-udp: no

IIRC. Read the man page.

Ah, yes, when hacking the config files is allowed 
I restricted myself to using the OPNsense GUI, but yes...

[mifi42]

I must admit, I am about to give up on this. I have spent the last three days, going through logs, tcpdumps, and even looked at some source code of unbound, albeit not in the right spot.

I will experiment further with running dnsmasq as my internal root servers for the internal domains, without all the strict controls of unbind. I cannot afford to dive deeper or spend more time, especially if that leads me away from managing the firewall via the GUI.
It feels like defeat, but it is what it is.

Sorry for bothering you with this.
Michiel

[mifi42]

I have used a workaround for now.
Unbound does still not successfully parse the response from my older nameserver for NED, so I decided to add 'host overrides' in unbound for the most important hosts in the NED network.

See menu:/Services/Unbound/Overrides/Host Overrides
Not very neat, a bit of a hack, but usable for the time being.

Thanks for the support,
Micihiel

[janb-de]

I am seeing the same since 24.7.4_1.

Thought i was the only one until i saw your post. Looks like opnsense just stopped resolving. Doing manual lookups and specifying the dns server while the tunnel is up works like normal.

I have a nameserver resolving a domain behind an ipsec tunnel. Had it set in unbounds domain-overrides, worked flawless until recently. Was looking for 2 days and then just used the domain-overrides in dnsmask..

Its not a fix but a workaround. I switch on dnsmask when i need the remote domain.

You could add dnsmask as a dns-server to unbound. Ugly but doesnt includes adding all the single hosts to the override file.

[mifi42]

Its not a fix but a workaround. I switch on dnsmask when i need the remote domain.

You could add dnsmask as a dns-server to unbound. Ugly but doesnt includes adding all the single hosts to the override file.

You probably mean you switch on dnsmasq locally on OPNsense when you need the remote DNS server?
Yes, that is doable.
m