OPNsense + AdguardHome + Unbound + errors

Started by MonkeyOnKeyboard, February 08, 2025, 06:58:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2025, 06:58:26 AM
Hello, ive read so much stuff, but my errors with my config are so big.

I use Opnsense with cloudflare for server domain + https zert and dynamicdns cloudflare + cloudflare in unbound
now, i cant use nslookup from my lan clients wich are in an seperate domain...

my opnsense is the 178.1 in my private network

cloudflare domain is homelabs.ltd
localdomain is homenet.intra.

i use adguardhome with unbound ^^

in adguard ive set dns to my local server ip 178.1 with the unbound port 5353
reverse in unbound same

so, if i make an nslookup from my windows machine. dns error timeout.

i cant anymore.. ive no ideas left .
please help, if its possible.
February 08, 2025, 08:19:21 PM #1
I'm not entirely sure why Cloudflare DNS used to access OPN is relevant.

I assume you're using the AGH plug-in (not a separate instance).
AGH has hostIP:5353 in upstream DNS
Unbound is configured on port 5353 and uses 1.1.1.1 as upstream (straight query forwarding or DNS over TLS?)?

In System > Settings > General, any DNS server set? Typical recommendation is none.
Allow DNS server list to be overridden by DHCP on WAN checked or not? Recommendation is unchecked.
In Unbound, Use System Nameservers checked or not? Recommendation is unchecked.

Then check the AGH and Unbound logs for clues.

Quotereverse in unbound same
was cryptic... I hope that didn't mean unbound using AGH...

 
February 09, 2025, 01:58:38 AM #2
If you are using mDNS, don't use port 5353 for DNS because it will conflict with mDNS.
February 09, 2025, 02:34:08 AM #3
Quote from: julsssark on February 09, 2025, 01:58:38 AMIf you are using mDNS, don't use port 5353 for DNS because it will conflict with mDNS.
+1

Use anything but 5353
Beelink EQ12 on Aruba Instant On network at home
February 10, 2025, 06:47:34 AM #4
sorry for delay answer.
ive deactivteted AGH PLugin in OPNsense and set unbound back to 53. Then the nslookup runs perfectly with reverse and so.
Then i have install an LXC Container on my Unraid for AGH.
ANd so with all Changes. it runs pefectly. nslookup works.

I think there is an error in the opnsense plugin or in unbound with port 5353 or any firewall blockings.
i dont know.... but in my new cofig with extra AGH all runs.
February 10, 2025, 08:22:22 PM #5
Once Unbound is working fine, moving it to another port (e.g. 53530) and adding AGH (pointing to Unbound) shouldn't require additional rules.
If the FW was getting in the way, you'd see it in the logs and could easily address that.
February 10, 2025, 08:44:22 PM #6
I suggest a setup that - for me - works even better. I like keeping reasonable defaults. And I like an easy fallback in case of failure.

So what I do:

- leave Unbound on port 53 on all interfaces, now DNS "just works"
- bind AGH to 127.0.0.1:53530 and have it forward to 127.0.0.1:53 for recursion
- set up block lists etc., test with drill directly on the firewall, make sure AGH works

Then on all interfaces where I want AGH to be active:

- create a NAT port forward rule from interface_address:53 to 127.0.0.1:53530 TCP & UDP

Voila. AGH active. In case you ever suspect a fundamental problem with AGH:

- disable port forwarding rule, AGH is now completely out of the equation again


HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 10, 2025, 09:49:09 PM #7
That's worth a try.
Binding AGH to localhost:53530 is not feasible in the UI.
Per your earlier post, I assume that you'd be specifying 127.0.0.1 as the bind_host.
And 0.0.0.0 is all interfaces?
Print
Go Up Pages1
User actions