[25.7] unbound as recursive dns server doesn't seem to work

Started by ajohn, July 26, 2025, 09:49:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 26, 2025, 09:49:45 AM Last Edit: July 26, 2025, 10:32:24 AM by ajohn
UPDATE: never mind, network configuration error (upstream firewall still had DNS redirects)
Only valid comment is that the root.hints could use an update. Hints delivered with 25.7 are from 2023.

I'm very excited about installing the new OPNsense 25.7 on my new firewall, so I decided to start from scratch. I think I have found a bug.

After a clean install I run the setup wizard, disable the Override DNS setting and DO NOT configure a DNS server. I am expecting unbound to go out and contact root servers configured in /var/unbound/root.hints but instead unbound is throwing a SERVFAIL:

root@opntest:~ # drill . ns
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 43209
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; .    IN      NS

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 3 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Jul 26 09:33:57 2025
;; MSG SIZE  rcvd: 17

What am I missing?

Btw; unrelated, the root.hints could use an update. Hints delivered with 25.7 are from 2023.
July 26, 2025, 12:42:40 PM #1
Great for fixing it.

Have the authoritative name servers change from 2023?

Don't think so.
July 26, 2025, 04:16:56 PM #2
Didn't check for changes but the recommendation is to update root hints every 6 months.
July 26, 2025, 08:19:35 PM #3
If it weren't so simple...

Code Select
% curl -o root.min.hints https://www.internic.net/domain/named.root
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3310  100  3310    0     0   5483      0 --:--:-- --:--:-- --:--:--  5480g
% git diff
diff --git a/src/opnsense/data/unbound/root.min.hints b/src/opnsense/data/unbound/root.min.hints
index 8b8a3b119..078d8c030 100644
--- a/src/opnsense/data/unbound/root.min.hints
+++ b/src/opnsense/data/unbound/root.min.hints
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ;
-;       last update:     December 20, 2023
-;       related version of root zone:     2023122001
+;       last update:     July 24, 2025
+;       related version of root zone:     2025072401
 ;
 ; FORMERLY NS.INTERNIC.NET
 ;

The only thing that changes is the date in the comment.  That's exactly why we don't bother updating it.
July 26, 2025, 08:44:02 PM #4
Better update the subject line too!

Others may be discouraged to update reading the subject alone.
Print
Go Up Pages1
User actions