Multi WAN - DNS not working

[DeepB]

Hello,

I just changed to a multi-WAN setup due to a unreliable main WAN connection. I followed this documentation.

I use UNbound-DNS with DNS over TLS.

I enabled "Default Gateway Switching" via System->Settings->General as per the documentation.

the failover works, except for DNS. I can Ping external IPs, and when I use a different DNS on the client (for instance 8.8.8.8 directly with a fixed IP instead of DHCP with the firewall as DNS) everything works perfectly.

Any ideas where to start?

Thanks
Daniel

[mooh]

Is Firewall: Settings: Advanced: Disable force gateway on (checkmarked)?

[DeepB]

It was off (not checkmarked).

I checkmarked it, but the problem is still the same.

[mooh]

Alright. Are there any other services running on the firewall that stop working during fail-over? Basically, with DNS resolution out of the way, is it only connections originating from the firewall that fail or is it also effecting connections originating from your internal networks? If it's only DNS on the firewall, what happens without TLS?

I assume you already tried to restart unbound during fail-over...

[DeepB]

I restarted unbound, restarted the firewall, both multiple times

All other connections seem to be fine, when i get a fixed IP on the client with another DNS everything works.

Disabling TLS on Unbound changes nothing.

Thanks
Daniel

[EricPerl]

Double-check Step 5 of the guide.
There was another case recently where it was missed, and all requests bypassed the GW DNS...

[DeepB]

You cannot view this attachment.

is that correct?

[EricPerl]

It can't hurt to try with LAN address as destination but this might work as well.
I'd enable logging and verify that the rule is triggered.

Any port forwarding affecting DNS, either on WAN with reflection or directly on LAN?

[DeepB]

I tried with the specific IP address, did not change anything

Then I reinstalled Opnsense just to start fresh and make sure no potential old configurations are at fault.

Nothing changed.

I also checked "Log Queries" in Unbound->Advanced, however in the Unbound Log I only get
2025-01-09T17:13:38   Critical   unbound   [3649:0] fatal error: Could not set root or stub hints   
2025-01-09T17:13:38   Error   unbound   [3649:0] error: could not read root hints /root.hints: Permission denied   

Could that be the problem?

[EricPerl]

Hmm, I've never seen that one.
That file looks like this on my box:

Code Select Expand

root@OPNsense:~ # ls -l /var/unbound/root.hints
-rw-------  1 unbound unbound 3314 Jan  5 15:30 /var/unbound/root.hints
It contains the DNS servers used to bootstrap the resolver so it's pretty critical indeed.
They are also necessary to resolve your DoT server if you specified it by name (versus IP).
Try a simpler config with regular DNS (e.g. 1.1.1.1).

[DeepB]

Did that (tried that before too), no more error message but also still not working. Also still no logged queries.

If I tick System--> Settings-->General "Allow DNS server list to be overridden by DHCP/PPP on WAN " DNS on the firewall works (Interfaces: Diagnostics: DNS Lookup) but still does not work on the client. (also tried disabling DNS over TLS, still no change)

[DeepB]

If I enable "Allow DNS server list to be overridden by DHCP/PPP on WAN" and disable unbound dns the clients will get the DNS-servers defined in "System: Settings: General" and I can access the internet. However DNS-Based ad blocking (unbound) does obviously not work.

[EricPerl]

Hmm, 'sockstat | grep :53' will make sure unbound is listening at that port.
If you enable logging on your "Local route DNS" rule, you should see the requests in the FW live view.

You can test using 'nslookup <somename_here> <IP of LAN GW>', as in nslookup opnsense.org 192.168.1.1
Does it fail? Hang/timeout?

Apart from that missing step 5 in multi-wan, I only know port forwarding having the same potential effect...