Why is custom options for Unbound removed in 21.7 ?

[chemlud]

It was system logs exploding since yesterday plus very large log files for resolver on a daily basis for the whole period configured to log. SSD usage looking much better now.

Hope I can avoid doing complete fresh install. Had a look at the config.xml of the system. The is both, info from the custom options for unbound as well a the new DoT page (which is currently not visable in the GUI). Will this be a problem for 21.7?

[chemlud]

Looking good now

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7 (amd64/LibreSSL) at Wed Jul 28 14:34:48 CEST 2021
>>> Check installed kernel version
Version 21.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

...and unbound tab for DoT (and check box for qname minimisation) is back... :-)

[Mr.Goodcat]

Sorry for the noob question but trying to get ahead of the eventual upgrade to 21.7, but currently my Unbound has the following in custom:

Code: [Select]

server:
  do-not-query-localhost: no


forward-zone:
  name: "."
  forward-addr: ::1@5353
  forward-addr: 127.0.0.1@5353

It's forwarding to the DNSCrypt-Proxy service.

Will I be able to do this with 21.7 and the new standard menu? Currently still on 21.1.8 as I am not on-site to attempt the upgrade to 21.1.9

Did you find a solution yet? I'm faced with the same issue now that custom options are being taken away

[Taomyn]

No, nobody has replied yet, so I am holding off my upgrade until someone does.

Sorry for the noob question but trying to get ahead of the eventual upgrade to 21.7, but currently my Unbound has the following in custom:

Code: [Select]

server:
  do-not-query-localhost: no


forward-zone:
  name: "."
  forward-addr: ::1@5353
  forward-addr: 127.0.0.1@5353

It's forwarding to the DNSCrypt-Proxy service.

Will I be able to do this with 21.7 and the new standard menu? Currently still on 21.1.8 as I am not on-site to attempt the upgrade to 21.1.9

Did you find a solution yet? I'm faced with the same issue now that custom options are being taken away

[franco]

https://docs.opnsense.org/manual/unbound.html

[chemlud]

https://docs.opnsense.org/manual/unbound.html

...the relevant info starts with

...
Advanced Configurations

Some installations require configuration settings that are not accessible in the UI. To support these, individual configuration files with a .conf extension can be put into the /usr/local/etc/unbound.opnsense.d directory. These files will be automatically included by the UI generated configuration. Multiple configuration files can be placed there. But note that...

[Taomyn]

https://docs.opnsense.org/manual/unbound.html

Thanks Franco. Now I can wait patiently for the upgrade path.

[Mr.Goodcat]

Thanks Franco. Now I can wait patiently for the upgrade path.

This looks like a nicer option. Otherwise the custom config won't be part of the overall config file, potentially messing up restores:
https://forum.opnsense.org/index.php?topic=23941.0

[Taomyn]

This looks like a nicer option. Otherwise the custom config won't be part of the overall config file, potentially messing up restores:
https://forum.opnsense.org/index.php?topic=23941.0

Yes saw that as well, so will likely switch to it once I'm on 21.7

[Taomyn]

Well, neither method on that documentation page seems to work so either I did it wrong after triple checking or it too is for 21.7 only. Using the template method got me the incredibly useful message "ERR", then tried to copy a new conf file and on the check it just said "Action not found. Oh and "/usr/local/etc/unbound.opnsense.d" does not exist either - I tried copying my conf file to "/usr/local/etc/unbound" which was present.


So when I upgrade I will have to hope I can still access my firewall's web interface so I can fix it, and if past experience is anything to go by, I probably won't be able to. We'll have to see.

[chemlud]

The custom field from the community repo can only be installed on 21.7, as in 21.1 it's still in the basic system ;-)

Remove your custom settings in the unbound GUI field and get back to "normal" DNS as resolver. Or switch to DNSmasq for the update. Check that our DNS is working. Go to 21.7 and then install the plugin for the custom field. Or copy your additional info to the new directory.

But I don't know your complete setup (DoT I guess), so YMMV...

[franco]

Er, yes, the documentation now reflects 21.7.


Cheers,
Franco

[opnfwb]

Just want to say thanks to Franco and team! I just use a basic Unbound DoT forwarding config (as I suspect most do for DoT?) and the new 21.7 DoT features are working great.

Code: [Select]

cat /var/unbound/etc/dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net


[ilikenwf]

Even if we had a dumbed down version of the box, it would be nice to have a way to add always_nxdomain entries for a few really enormously bad domains I block entirely, as well as their subdomains.

One example is online-metrix.net which is a port scanner, on all subdomains - the same one used by ebay. It exploits websockets to do this.

Code: [Select]

server:
local-zone: "online-metrix.net" always_nxdomain
I'll do the custom config file route for now but just wondering if anyone has a better way of doing this - nxdomain is my favorite though for blocking all subdomains and the parent domain as well.

[Nekromantik]

Development version for me is unstable.
After enabling DoT the router works for 5 mins and then stops working.
No network access and its like the whole OS crashes as none of my devices wired or wireless get DHCP or connectivity. Only way to access the firewall is to plug keyboard and monitor to it.
Now I have to clean install. Thankfully I keep cloud backups of config!