Trying to use NextDNS for Unbound but lose connection.

Ronin · September 03, 2020, 01:29:40 PM

Hi all

I am new to Opnsense and Unbound. I want to use NextDNS for DNS over TLS.

The below config is what is on the NextDNS website.

Use the following in unbound.conf:

Code Select


  forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#e78da1.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#e78da1.dns1.nextdns.io
  forward-addr: 45.90.30.0#e78da1.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#e78da1.dns2.nextdns.io

But after I input that in Ubound's Custom options box click save and apply. I will lose my DNS connection (Can't even go to google.com)

Here is the log:

Code Select

020-09-03T12:13:49	unbound[2080]	[2080:2] info: 192.168.1.141 zb7dq19nvmq-e78da1.test.nextdns.io. A IN
2020-09-03T12:13:49	unbound[2080]	[2080:3] info: 192.168.1.141 zb7dq19nvmq-e78da1.test.nextdns.io. A IN
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.28.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.30.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.28.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.30.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.28.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.30.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c0:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c0:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c1:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c1:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c1:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c1:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.30.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.30.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c1:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c0:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.28.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c0:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: for addr 2a07:a8c0:: port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: no TCP outgoing interfaces of family
2020-09-03T12:13:49	unbound[2080]	[2080:3] notice: ssl handshake failed 45.90.28.0 port 853
2020-09-03T12:13:49	unbound[2080]	[2080:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2020-09-03T12:13:49	unbound[2080]	[2080:3] info: 192.168.1.141 zb7dq19nvmq-e78da1.test.nextdns.io. A IN
2020-09-03T12:13:49	unbound[2080]	[2080:0] info: start of service (unbound 1.11.0).

But if I put the following it is working fine.

Code Select

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6

Can anyone please help me? I really want to use NextDNS because a lot of the features they have on their WebUI.

Many thanks

mrancier · September 04, 2020, 01:08:58 AM

server:
tls-cert-bundle: "/etc/ssl/cert.pem"

burntoc · October 22, 2020, 11:11:16 PM

Thanks so much for this. I just ran into the exact same this and this seems to have resolved it.

Demus4202 · March 25, 2021, 04:09:25 AM

I'm having trouble with this myself.

Anyone mind showing me an update unbound config file?

Maurice · March 25, 2021, 07:02:30 PM

Why custom options? You can enter upstream DoT servers in Services / Unbound DNS / Miscellaneous.

Cheers

Maurice

hushcoden · March 25, 2021, 07:20:21 PM

Quote from: Maurice on March 25, 2021, 07:02:30 PM
Why custom options? You can enter upstream DoT servers in Services / Unbound DNS / Miscellaneous.

If you want to also specify the auth name, i.e. #dns.quad9.net for Quad9, then custom options is currently the only way.

Maurice · March 25, 2021, 08:06:20 PM

Oh, okay, didn't know the UI doesn't support that. Thanks!

Trying to use NextDNS for Unbound but lose connection.

Ronin

September 03, 2020, 01:29:40 PM Last Edit: September 03, 2020, 01:44:19 PM by Ronin

mrancier

September 04, 2020, 01:08:58 AM #1 Last Edit: September 04, 2020, 01:11:34 AM by mrancier

burntoc

October 22, 2020, 11:11:16 PM #2

Demus4202

March 25, 2021, 04:09:25 AM #3

Maurice

March 25, 2021, 07:02:30 PM #4

hushcoden

March 25, 2021, 07:20:21 PM #5

Maurice

March 25, 2021, 08:06:20 PM #6