OPNsense 20.1 - problems with DNS

Started by votan, March 16, 2020, 03:54:49 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 16, 2020, 03:54:49 PM
Hello,
I upgraded from 19.7 to 20.1 - in general, the OPNsense works.
With a frequency of 4-5 times a day, I get a DNS problem that I cannot nail down - can you please help:

- Clients in the netwoork cannot resolve DNS anymore when this happens, e.g. I cannot open google.de in the web browser, or ping google.de.
"dig google.de" is not showing me any IP address then.

- If I go to "Interfaces-Diagnostics-DNS Lookup" on the OPNsense GUI, and then enter "google.de" there, I do get
a result, but it takes very long (roughly one minut) until I get a result. The DNS request are reported to take only 20-40ms, so it looks like this is a problem within OPNsense, not upstream

- RE-starting Unbound does not solve the problem

- Re-starting whole of OPNsense does solve the problem, but only for a short amount of time

- htop on OPNsense is not showing me any process that could be a problem / that would be stale

Any idea what could cause the problem, what could be a solution of how I even could nail it down?
Appreciate your help,
votan
March 18, 2020, 11:30:02 PM #1
Hi

I'm having the same issue with DNS.
I did now upgrade to 20.1.3.
will update if it got better.
March 19, 2020, 03:00:45 PM #2
have you changed any settings in Unbound by default it uses ROOT DNS servers.

You could change it to upstream to CloudFlare or Google, add this to the advanced bit

Code Select

server:
forward-zone:
  name: "."
  forward-addr: 1.1.1.1
  forward-addr: 8.8.8.8
Adventuring through internet pipes
My Blog
March 19, 2020, 03:17:27 PM #3 Last Edit: March 19, 2020, 03:20:29 PM by iMx
I had problems with Cloudflare DNS the last few weeks, along with various other people on Twitter at the same time, switching to Google resolved it for me.

I couldn't resolve things like Google, Twitter, various random sites.
March 22, 2020, 01:22:26 AM #4
I'm already running with Cloudflare DNS + DoT over a year without any issues.
That is my config:
Code Select
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4

I didn't try to switching to Google.
March 22, 2020, 08:29:08 AM #5
Hi,

Unbound doesn't perform the verification of the server certificate by itself. You have to configure ist to prevent MiM.

Code Select

server: tls-cert-bundle: "/etc/ssl/cert.pem"

forward-addr: 1.1.1.1#cloudflare-dns.com
This should be fine for cloudflare.


Source for other DNS Servers supporting DoT (DoH)
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c9

March 23, 2020, 10:44:39 AM #6
Tnx Mks. i will try that.

but what about the DNS issues that started after over a year without problems.
March 23, 2020, 06:33:13 PM #7
Same issue here... since update.. Some Clients (e.g. NAS) is not longer able to resolve via unbound dns running on OPNSense...
March 26, 2020, 08:23:56 AM #8
Anyone on the DNS issues?
March 26, 2020, 01:26:40 PM #9
I'm having DNS issues as well using unbound in forwarding mode (DNS servers configured in general settings as well as in the unbound advanced options with the settings posted by y2kw).

Switched to DNSMASQ now, but do still have the "slowness" on some devices.
March 26, 2020, 01:57:58 PM #10
Hi,

now that you said. I experienced partly also some "small" issues.

Error from the log:
Code Select

info: error sending query to auth server
error: outgoing tcp: connect: Address already in use for
error: tcp connect: Operation timed out for

Im using DoT with certificate validation, but this seems not be the problem.


br
March 26, 2020, 07:02:18 PM #11
Could it be somehow related to certificate providers?

Noted that I have the Http connections to ocsp domains (in my understanding used for the TLS handshake to validate certificates) in the proxy log.
Tracert and ping e.g. to godaddy or digicert is slow currently. Dont know if there are some general problems slowing down requests?

April 02, 2020, 07:48:26 AM #12
Has anyone figured out, why clients (based on linux) has issues to resolve names since last update of opnsense, and windows machines not?

My NAS and Ubiquity Controler are not able to resolve adresses anymore, using opnsense as DNS and Gateway.
May 17, 2020, 06:48:49 PM #13
Quote from: y2kw on March 23, 2020, 10:44:39 AM
Tnx Mks. i will try that.

but what about the DNS issues that started after over a year without problems.

Does this go into the same section as where I specified the TLS info?
May 19, 2020, 09:39:23 PM #14
Hi, I just upgraded two routers to 20.1.6 and my DNS stopped working too.

My DNS Config:

Code Select

ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 46.182.19.48@853
forward-addr: 146.185.167.43@853

If I delete this entries it is working again. See configuration screenshot.

This issue occurred after the upgrade on two OPNsenses with different ISPs and different hardware.
Print
Go Up Pages1 2
User actions