Advices to configure Unbound and Bind plugin for ad-block

[mayo]

After configured Bind, my network devices are not resolved as .myhome but .local. Any idea?

[mimino]

This recipe is described here https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/ doesn't seem to work without firewall rules, which basically eliminate unbound altogether. Just like mayo, I wasn't able to get it to work with unbound 'forward-addr'. Not sure what the issue is, and the unbound log just says that the UDP query to 127.0.0.1:53530 timed out with no signs of DNS queries on the BIND side. Would really appreciate it if some gurus could shed some light as to what might be happening here.

Update: I tried to do unbound forwarding to a pi-hole instance I have running on my LAN, and forwarding didn't work either. There might be something crucial we're missing in unbound configuration, just have to figure out what that is.

[mimugmail]

Outbound interface localhost?

[mimino]

Outbound interface localhost?

Nailed it! Thanks.

[mayo]

Hi mimino, could you please describe your configuration (I'll use Unbound with default config with Bind)? I'm tring to configure it from scratch and I don't want to make some mistakes...
Thank you so much!

[Northguy]

Hi mimino, could you please describe your configuration (I'll use Unbound with default config with Bind)? I'm tring to configure it from scratch and I don't want to make some mistakes...
Thank you so much!

Just follow the instructions from: https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/ and don't forget to set Outbound interface to localhost in the unbound settings. That is all.

[Brent Dacus]

All:

Trying to configure the BIND plugin.  I have read several post and

Followed this Guide https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/

It seems to work but I have some questions..

I also read this https://wiki.opnsense.org/manual/how-tos/bind.html

My goal is to have everything filtered and blocked. Use Unbound with forwarding. No firewall rules.  Not sure which guide to use?

What I have before Changing anything.
Systems settings general DNS server set to external dns aka 1.1.1.1, 8.8.8.8

Unbound DNS General
   enable resolver
   Network Interface ALL
   Local Zone Transparent
   Enable Forward         
   dhcp registrations and static mapping
   No custom entries
   Outgoing Network Interfaces ALL

Dhcpv4
no DNS server set forwarding Router IP as dns to clients


Questions:

This Guide https://wiki.opnsense.org/manual/how-tos/bind.html
Doesn't have a firewall rule.  It only has the Custom section.
Should I use this guide? Does this work directly with Unbound and my above setup?

I ask because when read posts I found this.
https://forum.opnsense.org/index.php?topic=10180.msg46878#msg46878
But that didnt seem to work for Mayo or Mimino
Northguy said use mimugmails guide and set localhost outgoing.  But that guide includes a firewall rule. 

Still a bit confused..

Also do I need to change any of my config above?

[mimugmail]

System DNS empty and Unbound outgoing Interface to localhost should be fine

[Brent Dacus]

ok so this guide
https://wiki.opnsense.org/manual/how-tos/bind.html or in general your guide with out firewall rule.

Set unbound
custom to
do-not-query-localhost: no
forward-zone:
name: ,,."
forward-addr: 127.0.0.1@53530

outgoing to local

and only change
Systems settings general DNS server set to Blank


Ok here we go...

[mimugmail]

Bind needs acl for localhost network. Then start looking at both logs

[Brent Dacus]

All:

I sorted it.  The documentation here https://wiki.opnsense.org/manual/how-tos/bind.html
and
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/

Has a TYPO..

do-not-query-localhost: no
forward-zone:
name: ,,."      <------------ Should be "."
forward-addr: 127.0.0.1@53530

If you copy and paste the above into the Custom section in Unboud.
It creates this in unbound.conf

# Unbound custom options
do-not-query-localhost: no
forward-zone:
name: �^`^~.�^`^|    <----------------Bad characters
forward-addr: 127.0.0.1@53530


Please use the below and retest.

do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530

Also Opnsense and Mimugmail please update the syntax in the Documentation.

[apiods]

Have tried setting this up, but am getting SERVFAIL when querying unbound DNS service. I think the problem is related to:

Code Select Expand

do-not-query-localhost

I added it to the custom config, but unbound would not reload, error:

opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '/var/unbound/unbound.conf:106: error: syntax error read /var/unbound/unbound.conf failed

Line 106 was:

Code Select Expand

do-not-query-localhost: no

Code Select Expand

Ran:  unbound-checkconf /var/unbound/unbound.conf
/var/unbound/unbound.conf:106: error: syntax error
read /var/unbound/unbound.conf failed: 1 errors in configuration file

Removed this line, and unbound started fine, but would not resolve queries, returned SERVFAIL (assume as it's not allowing lookups to localhost).

Looking at other forums, it's mentioned a few times that 'do-not-query-localhost' needs to be set in the server: section of the conf file.
In this case, it's set outside this, but if others have had it working successfully I'm wondering why it's an issue for me !

Running: OPNsense 18.7.10_3

Thanks.

[Brent Dacus]

Have tried setting this up, but am getting SERVFAIL when querying unbound DNS service. I think the problem is related to:

Code Select Expand

do-not-query-localhost

I added it to the custom config, but unbound would not reload, error:

opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '/var/unbound/unbound.conf:106: error: syntax error read /var/unbound/unbound.conf failed

Line 106 was:

Code Select Expand

do-not-query-localhost: no

in the custom section in unbound advanced

you need the entire section

do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530


Which Guide did you follow?  Guides are not very thorough. 

[apiods]

you need the entire section

do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530


Which Guide did you follow?  Guides are not very thorough.

Sorry, it wasn't clear in my post, but I did indeed have the complete config in the custom section:

Code Select Expand

do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530

Then got the Unbound startup error as it didn't like "do-not-query-localhost: no". Having removed just that one line, Unbound did start okay, but would not resolve (returned SERVFAIL) - assuming because it now can't use localhost to resolve.

Which Guide did you follow?  Guides are not very thorough.

I just used the ones mentioned in this thread:
https://wiki.opnsense.org/manual/how-tos/bind.html
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/

Plus the tip on this thread to configure Unbound with Outbound interface: localhost.
The guides seem pretty straight forward - I just don't understand why I seem to be the only one getting an error when using "do-not-query-localhost: no" !!

[apiods]

opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '/var/unbound/unbound.conf:106: error: syntax error read /var/unbound/unbound.conf failed

Line 106 was:

Code Select Expand

do-not-query-localhost: no

Okay ... I found the cause of my issue and "fixed" it. Unbound would not start with the custom options config in place as I also had a 'Domain Override' in place - for a sub-domain I use for testing locally.

Once I removed the Domain Override, Unbound started fine and forwarding to BIND localhost worked.
Assume it's something in the config order that Unbound does not like, as the domain override sticks a couple of lines in unbound.conf before custom options.

How can I report this as a bug ?