Reproducible DNS resolution problems with Unbound

Started by adiz0r, February 02, 2020, 11:56:36 PM

Previous topic - Next topic
Hello all,

This is my first post here, so a short introduction: I'm a seasoned *nix sysadmin (Solaris and Linux at $DAYJOB, and whatever I can get my hands dirty with at home), but quite new to OPNsense. I tried to look for an answer to my problem, but could not find one - apologies if I just missed something.

I have recently migrated my home network from a Turris Omnia to OPNsense/APU2C2, but DNS resolution with the default Unbound is still flaky. I set it up in standalone mode without upstream resolvers. After restarting Unbound (to clear the cache) the first resolution of any DNS record with the host command is always completely or partially ends in not found/SERVFAIL. The 2nd try works, I assume meanwhile Unbound gets and caches the results.

The clients I tried it with: Macs on WiFi, a wired FreeNAS box (11.2U7) and locally, on the router. Same results.

I used "host" only for testing, but the bug manifests itself with "real" clients, too. And it's pretty annoying when the browser comes back with a "$YOURFAVOURITESEARCHENGINE does not exist". :)

I did not test caching intentionally, but I remember that retrying a DNS record after sufficient time repeated these results: first answer failed, as if Unbound had been restarted.

Alternatively I stopped Unbound and quickly set up DNSmasq with 1.1.1.1 as upstream - it works flawlessly. But I prefer to use my own DNS resolver and not relying on any provider.


Has anyone else experienced the same problem or am I doing something wrong?


(I have been using Unbound on a small and old Debian box for years, but haven't yet seen anything like this.)

Packet capture of port 53 in WAN and logs would be interesting. Unbound ist known to be not the fastest one on startup

Thanks mimugmail for the suggestions, I've solved it meanwhile. It's a mix of PEBKAC :) and probably bad defaults.

Unbound tries to connect via IP6 even when it's not available on WAN. My ISP is Drei in Austria and I use a USB LTE stick in PPP/TTY mode, so I can have a public IP4 address on my router. But they do not provide IP6, so the ppp0 interface has only an fe80:* address. Unfortunately it's enough to fool Unbound.

Solution: add

do-ip6: no

under Services -> Unbound DNS -> General -> Custom options.

(For the record: the ZTE MFE 831 USB LTE stick works very well with OPNsense.)

do-ip6 is relatively dangerous, we tried to play with it for a bit:

https://github.com/opnsense/core/commit/53024b5c159c

Only use it if you do not have IPv6 in your network at all. In which case you can disable IPv6 from Firewall: Settings: Advanced uncheck "Allow IPv6" and do-ip6: no is set automatically.


Cheers,
Franco

I think I had a similar one solved via System : Settings : General : Prefer IPv4

Hi all,

i think an output tab of the current *.conf of the service, which is partly composed of several tabs(confs), would be a good thing in general, because even in the extended descriptions under the configuration tabs alone there is no knowledge about the parameter you set, at least not in the GUI!

cheers
till

Quote from: mimugmail on February 03, 2020, 02:57:54 PM
I think I had a similar one solved via System : Settings : General : Prefer IPv4

It has been set since the beginnging, but alas did not help.

Quote from: franco on February 03, 2020, 01:01:49 PM
do-ip6 is relatively dangerous, we tried to play with it for a bit:

https://github.com/opnsense/core/commit/53024b5c159c

Only use it if you do not have IPv6 in your network at all. In which case you can disable IPv6 from Firewall: Settings: Advanced uncheck "Allow IPv6" and do-ip6: no is set automatically.

I don't want to disable IP6 completely, as I have ULA addresses on my home network (in the past I played with a HE tunnel, but the closest gw is in either Prague or Budapest and adds too much delay to the RTT).