Archive > 21.1 Legacy Series

[Solved] Help troubleshooting why DNS over UDP does not reach DNS resolver

<< < (2/2)

geo:

--- Quote ---I think you meant remove the Port Forward WAN rule.  Outbound NAT should still have a rule (likely Automatic).

That makes sense; you're doing a DNS redirect.  I would disable it and get it working on a PC then work on your redirect.
--- End quote ---

Thank you disabling this rule worked. I also re-arranged AdGuard's position in the DNS request chain to look like the below.

(all clients on local network) --> AdGuard --> OPNSense (unbound forwarding mode to Quad 9 ips)

Advantage of this setup is I can see which requests are coming from which device ip's on the local network. Disadvantage of this setup is for now I've lost the DoH/DoT/DoQ that is configured out of the box on AdGuard Home and not replicated on Unbound by default.


--- Quote ---(1) Install minugmail's repo (see https://www.routerperformance.net/opnsense-repo/), (2) install AdGuard Home plugin in OPNsense, (3) set your OPNsense unbound resolver to another port than 53, (4) go to adguard home webpage to configure, (5) define your OPNsense unbound resolver:customport as a PTR / upstream DNS server in adguard home (for resolution of local names).

(6) Firewall: create floating rules to allow DNS requests to DNS (53), DoQ (784) and DoT (853); consider carefully whether to open DoH (443). NAT rules should be created automatically (I think).
--- End quote ---

Agreed probably better to drop the Pi altogether and would solve my issue of not having presently having DoH/DoT/DoQ to do swap mentioned above and use of Unbound in forwarding mode. Why do you suggest carefully considering whether to open DoH? Idk hence asking.

abulafia:
Adguard Home in Opnsense:
+ you can use the path to the Opnsense/letsencrypt certificate directly in adguard
- exposing port 443 to allow DoH also exposes the Opnsense web GUI. May be an issue e.g. for IoT or guest vlans. You can always move the GUI to another port of course, or block access from the insecure vlans.

rhubarb:
deleted

rhubarb:

--- Quote from: geo on May 04, 2021, 04:43:20 am ---Advantage of this setup is I can see which requests are coming from which device ip's on the local network. Disadvantage of this setup is for now I've lost the DoH/DoT/DoQ that is configured out of the box on AdGuard Home and not replicated on Unbound by default.

--- End quote ---

https://sahlitech.com/opnsense-setup-unbound-dns/

This Unbound DNS guide is pretty good and was recently modified to include 'tls-cert-bundle' that properly checks for valid certificates.  The problem I have is Unbound can be kind of buggy and unreliable.  I have resorted to enabling a PiHole as a DNS backup, with Cloudflared DoH. If you start having issues with Unbound, you might want to bypass it.

RamSense:
 .

Navigation

[0] Message Index

[*] Previous page