Can you check with tcpdump on WAN If you see DNS traffic on 53 or just 443.
tcpdump -ni ix0 port 53listening on ix00 packets captured130285 packets received by filter0 packets dropped by kerneltcpdump -ni ix0 port 443listening on ix03109 packets captured2318077 packets received by filter0 packets dropped by kernel...11:00:31.179125 IP 1.0.0.1:443 > WAN_IP:17505: flags [.] ack 18163, win 63, length 011:00:31.179377 IP 1.0.0.1:443 > WAN_IP:17505: flags [F.] seq 53635, ack 18162, win 63, length 0
Then it's surely an error at Cloudfare not detecting it as encrypted ...
are you using pihole by any chance?I have the same issue.
"You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work."
Question: Will this setup cause any issues with setting up Dynamic DNS? On the DDNS creation page it says:Quote"You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work."But with this setup both of those are not done.
server: do-not-query-localhost: noforward-zone: name: "." forward-addr: 127.0.0.1@5353 forward-first: yes
domain overrides change section from "server:" to "forward-zone:".To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no"
Also, if you are not worried about a few leaked DNS requests, you can use option "forward-first: yes" so if DNSCrypt-Proxy is failed (or not started yet), Unbound will fallback to normal resolving. This gives you a much more stable but a bit less private configuration.
Also make sure that you did not set any specific "Outgoing Network Interfaces" otherwise Unbound will fail to connect to loopback addresses.
The geoip with alias's addition to OpnSense came at a good time. According to ipleak.net mine was using a dnscrypt server in China. Seems like a bad idea. I had no idea dnscrypt-proxy servers in cn were add to the official list.
Thanks for the additional informations. I had no problems over 1 year with this config and also opnsense has this in his official documentation, see:https://wiki.opnsense.org/manual/how-tos/dnscrypt-proxy.html?
Quotedomain overrides change section from "server:" to "forward-zone:".To fix error in configuration, you need to add "server:" line before "do-not-query-localhost: no"I have 1 override in unbound and all works fine. But People who has problems can try to write "server:" at the beginning on "custom options". This already exists in unbound.conf.
QuoteAlso make sure that you did not set any specific "Outgoing Network Interfaces" otherwise Unbound will fail to connect to loopback addresses.In the past i choosed "localhost" on Outgoing Network Interface because i had the assurance that traffic goes to DNSCrypt but this is removed since opnsense 19. Now you must choose "All".
Quote from: cake on January 17, 2020, 10:06:46 pmThe geoip with alias's addition to OpnSense came at a good time. According to ipleak.net mine was using a dnscrypt server in China. Seems like a bad idea. I had no idea dnscrypt-proxy servers in cn were add to the official list. thats why you can use your trusted and favorite servers on "Server List" ;-)
karlson2k:This will work if you have host override. But any single domain override will break it.On the other hand, even if you don't have any overrides, line "server:" will not harm anything.So safe and future-proof solution is to add "server:". In this case configuration will not break after future changes, which can include domain overrides.
karlson2k:Yes, it must be set to "All". Otherwise configuration will not work.It worth to mention it in your "HOWTO".I spent some time before figured out why my configuration doesn't work at all.
