Unbound not returning results

Started by ManBat, May 31, 2020, 06:25:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 31, 2020, 06:25:57 PM
Hi All,

I am new to Opnsense.  I'm trying to replace an existing firewall with opnsense.  I've configured it and it appears to be working well enough, multi-wan load balancing and I have some very basic rules and I can indeed reach the internet if I reconfigure end points default gateways.  It also seems to be dealing with my VLANs.

I have configured :

System: general: DNS Servers to point at OpenDNS.  If I do interface:Diagnostics I can get addresses to resolve on the internet. I have enabled and disabled "Do not use the local DNS service as a nameserver for this system" to no avail.

Unbound DNS: configured on port 53 and logging cranked up to 11 (ok 5).  Forwarding enabled and configured query logging. 

Firewall rules: have enabled access from the LAN to port 53 on the the firewall. In the firewall logs I can see the requests coming on port 53 *AND* what's interesting is I also see outbound traffic on port 53 (like the forwarding is attempting to go out).  EVerything is passing the pass rules with no drops


Problem is I get timeouts from NSLOOKUP.  I also get nothing in the logs (in the UI) for Unbound.

I also added local overrides in Unbound and tried to look those up also didn't work.  I read something about abug in overrides so I then removed them all as a test, still no joy.

What else can I check?  What else am I missing?

Cheers
MB
June 01, 2020, 09:32:32 AM #1
I should probably have made it clearer, I don't see *anything* related to the apparent activity in the unbound logs.
June 01, 2020, 03:46:47 PM #2
Unbound DNS Usually works out of the box. Here are my settings, a bit more than just basic but they work well.


In System->Settings->General Networking, there is nothing ticked or entered, just leave it all empty.


Unbound->General





Network Interfaces: All except WAN
The entry for custom options is this:



ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6


Unbound->Advanced





Try that.. been working for me for a long time.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
June 06, 2020, 12:58:37 PM #3
Hi marjohn,

So I bottomed it out in the end.  I went through a number of steps, enabled it, checked to see if it was bound to the right IP addresses (via process/netstat), tested it via interfaces->diagnostics and tried to query from the firewall itself for things both outside and things that were only in the overrides.  Anything from off the box did not resolve and didn't put anything in the unbound log.

Long story short it was some issue with the firewall and I suspect something quirky with "quick match", which I am yet to fully wrap my head around for *allow* rules.  Oddly enough you could see the query match the port and be allowed inbound, you'd get a "pass" in the firewall rule from the client on port 53 to the ip+port that unbound was definitely bound to on the firewall itself.

If I had to guess, I think some other "quick match" rules behaviour meant that it was hitting one rule (Pass) and then somehow hitting another which wasn't logging and then some kind of priority problem ensued and the firewall silently dropped the packet.

When I binned off all my rules and started a fresh and got rid of quick match as a concept it started to work.

Thanks for replying though  :)
Print
Go Up Pages1
User actions