[Solved] Help troubleshooting why DNS over UDP does not reach DNS resolver

[geo]

Hello,

I've reached a wall trying to troubleshoot this and hoping the community can help. I've tried searching forum posts for similar issues and haven't found any suggested fix.

I'm using OPNsense 21.1.5 (amd64) to route DNS requests to AdGuard Home (v0.106.1) installed on a raspberry pi (address 10.x.x.240) with Quad 9 as the upstream DNS resolver.

Ignoring the Guestnet VLAN to simplify the troubleshooting process, any DNS requests from my network LAN1  over UDP are not working while any DNS requests over TCP work. I can't figure out why UDP isn't working.

I've attached in image to pictorially represent my setup. For some reason UDP based requests appear to be blocked (see error messages) while TCP based requests.

My firewall rules are fairly basic having followed guides from homenetworkguy.com for guidance. I've attached screenshots of the firewall rules used for LAN along with NAT rules. On the WAN interface I only have rules to Block spamhaus DROP and EDROP.

On the AdGuard Home side there isn't any configuration that I've done that should be blocking requests.

Any suggestions on how to further troubleshoot this to figure out where and why UDP packets are being dropped/blocked?

Thank you,
George

[rhubarb]

That NAT port forward rule seems strange.  I think you might try disabling it and make sure your Outbound NAT rules are set to Automatic.  Using defaults, OPNSense should hand out the DNS address given by AdGuard to the clients.  You don't need a port forward rule because OPNSense will route return traffic to the host requesting DNS.

I assume AdGuard is providing an address over DHCP to OPNSense.  I assume that address is private.  If it is, make sure you're not blocking private addresses at the WAN level. Also, make sure that it does not interfere with the address space of your LANs.

You can put your SPAMHAUS Drop rules only once in Floating so you don't have to replicate them on every interface.

[geo]

Hi rhubarb,

Thank will try you suggestion and remove the outbound NAT rule. The reason for the Outbound NAT rule was to enforce use of AdGuard + my choise of outbound DNS rather than permit use of other DNS providers (for example hardlinked DNS servers inside of IoT devices, i've seen alot of requests for 8.8.8.8 from devices).

DHCP address are handed out by OPNsense and AdGuard gets handed a fixed IP based.

[rhubarb]

Thank will try you suggestion and remove the outbound NAT rule. The reason for the Outbound NAT rule was to enforce use of AdGuard + my choise of outbound DNS rather than permit use of other DNS providers (for example hardlinked DNS servers inside of IoT devices, i've seen alot of requests for 8.8.8.8 from devices).

DHCP address are handed out by OPNsense and AdGuard gets handed a fixed IP based.

I think you meant remove the Port Forward WAN rule.  Outbound NAT should still have a rule (likely Automatic).

That makes sense; you're doing a DNS redirect.  I would disable it and get it working on a PC then work on your redirect.

wrt addresses, your WAN interface address should not be in the address space of your LANs.  OPNSense lets you do this and it causes routing problems. (It happens often if AdGuard issues a 192.168.1.0/24 address and one of your LANs also uses this range.)

[abulafia]

I'm using OPNsense 21.1.5 (amd64) to route DNS requests to AdGuard Home (v0.106.1) installed on a raspberry pi (address 10.x.x.240) with Quad 9 as the upstream DNS resolver.

Why don't you install AdGuard Home (v0.106.1) directly on the OPNsense and do away with the Pi?

(1) Install minugmail's repo (see https://www.routerperformance.net/opnsense-repo/), (2) install AdGuard Home plugin in OPNsense, (3) set your OPNsense unbound resolver to another port than 53, (4) go to adguard home webpage to configure, (5) define your OPNsense unbound resolver:customport as a PTR / upstream DNS server in adguard home (for resolution of local names).

(6) Firewall: create floating rules to allow DNS requests to DNS (53), DoQ (784) and DoT (853); consider carefully whether to open DoH (443). NAT rules should be created automatically (I think).

once it works, re-create the redirection of DNS requests to your local DNS.

--

as to why your original setup isn't working for UDP, not sure, but have you tried to set the "Block all external DNS" rule to Destination: !LAN1_address or temporarily disabling it? Otherwise, that rule might be blocking all traffic to ports 53 (including your pihole). Try to remove that.

Can your LAN1 ping your Pi?
Is traffic back from the Pi to your LAN1 network permitted?

[geo]

I think you meant remove the Port Forward WAN rule.  Outbound NAT should still have a rule (likely Automatic).

That makes sense; you're doing a DNS redirect.  I would disable it and get it working on a PC then work on your redirect.

Thank you disabling this rule worked. I also re-arranged AdGuard's position in the DNS request chain to look like the below.

(all clients on local network) --> AdGuard --> OPNSense (unbound forwarding mode to Quad 9 ips)

Advantage of this setup is I can see which requests are coming from which device ip's on the local network. Disadvantage of this setup is for now I've lost the DoH/DoT/DoQ that is configured out of the box on AdGuard Home and not replicated on Unbound by default.

(1) Install minugmail's repo (see https://www.routerperformance.net/opnsense-repo/), (2) install AdGuard Home plugin in OPNsense, (3) set your OPNsense unbound resolver to another port than 53, (4) go to adguard home webpage to configure, (5) define your OPNsense unbound resolver:customport as a PTR / upstream DNS server in adguard home (for resolution of local names).

(6) Firewall: create floating rules to allow DNS requests to DNS (53), DoQ (784) and DoT (853); consider carefully whether to open DoH (443). NAT rules should be created automatically (I think).

Agreed probably better to drop the Pi altogether and would solve my issue of not having presently having DoH/DoT/DoQ to do swap mentioned above and use of Unbound in forwarding mode. Why do you suggest carefully considering whether to open DoH? Idk hence asking.

[abulafia]

Adguard Home in Opnsense:
+ you can use the path to the Opnsense/letsencrypt certificate directly in adguard
- exposing port 443 to allow DoH also exposes the Opnsense web GUI. May be an issue e.g. for IoT or guest vlans. You can always move the GUI to another port of course, or block access from the insecure vlans.

[rhubarb]

deleted

[rhubarb]

Advantage of this setup is I can see which requests are coming from which device ip's on the local network. Disadvantage of this setup is for now I've lost the DoH/DoT/DoQ that is configured out of the box on AdGuard Home and not replicated on Unbound by default.

https://sahlitech.com/opnsense-setup-unbound-dns/

This Unbound DNS guide is pretty good and was recently modified to include 'tls-cert-bundle' that properly checks for valid certificates.  The problem I have is Unbound can be kind of buggy and unreliable.  I have resorted to enabling a PiHole as a DNS backup, with Cloudflared DoH. If you start having issues with Unbound, you might want to bypass it.

[RamSense]

 .