Help with weird DNS behavior

[lbandi2]

Ever since I moved and changed internet provider I had to do this hacky thing to get DNS to work on my network.

This is the configuration I had before that didn't work with the new provider:

In System > Settings > General:

DNS Server:
10.10.0.1 (my opnsense instance)
1.1.1.1
8.8.8.8

Allow DNS server list to be overridden by DHCP/PPP on WAN (unchecked)
Do not use the local DNS service as a nameserver for this system (unchecked)

That was it, I had DNS resolution through Unbound DNS with no extra configuration, but this config did not allow for DNS resolution with the new provider.
I could ping IPs, but I could not resolve outside DNS.

Here's what I had to do to get it to work:

In System > Settings > General:

DNS Server:
192.168.101.1 (ISP gateway I got from Interfaces  overview, see image below)
10.10.0.1 (my opnsense instance)
1.1.1.1
8.8.8.8



I also had to add the ISP Gateway in Services > ISC DHCPv4 on every interface in order to get DNS working, here's an example:



I dealt with this in order to get the connection working, but I know it's wrong and I hate this solution.

Can someone help me diagnose this and help me do it the right way?

[dseven]

It sounds like your new ISP may be blocking you from using any DNS server other that the one(s) that they provide. if you get a shell on your OPNsense box, can what do you get from something like `drill @1.1.1.1 google.com.` ?

[lbandi2]

I only get:

Code Select Expand

Error: error sending query: Could not send or receive, because of network error


[dseven]

Yeah... unless you're doing something funky with firewall rules yourself, I think your ISP is blocking it. I assume if you use the ISP gateway instead of 1.1.1.1 in that command, it works?

[bartjsmit]

Have you tried DNS over HTTPS? https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

[lbandi2]

Yeah... unless you're doing something funky with firewall rules yourself, I think your ISP is blocking it. I assume if you use the ISP gateway instead of 1.1.1.1 in that command, it works?

Yup

Code Select Expand

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35085
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     161     IN      A       172.217.28.110

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 5 msec
;; SERVER: 192.168.101.1
;; WHEN: Fri Nov  8 10:54:31 2024
;; MSG SIZE  rcvd: 44


[lbandi2]

Have you tried DNS over HTTPS? https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

No, I haven't, but before trying anything new I would like to rule out any bad configurations I might have done myself since I'm no expert.