Why is custom options for Unbound removed in 21.7 ?

chemlud · July 28, 2021, 10:40:23 AM

It was system logs exploding since yesterday plus very large log files for resolver on a daily basis for the whole period configured to log. SSD usage looking much better now.

Hope I can avoid doing complete fresh install. Had a look at the config.xml of the system. The is both, info from the custom options for unbound as well a the new DoT page (which is currently not visable in the GUI). Will this be a problem for 21.7?

chemlud · July 28, 2021, 02:37:49 PM

Looking good now

Quote***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.7 (amd64/LibreSSL) at Wed Jul 28 14:34:48 CEST 2021
>>> Check installed kernel version
Version 21.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .................................................................... done
***DONE***

...and unbound tab for DoT (and check box for qname minimisation) is back... :-)

Mr.Goodcat · July 28, 2021, 03:20:06 PM

Quote from: Taomyn on July 27, 2021, 01:40:43 PM
Sorry for the noob question but trying to get ahead of the eventual upgrade to 21.7, but currently my Unbound has the following in custom:

Code Select Expand
server: do-not-query-localhost: no forward-zone: name: "." forward-addr: ::1@5353 forward-addr: 127.0.0.1@5353

It's forwarding to the DNSCrypt-Proxy service.

Will I be able to do this with 21.7 and the new standard menu? Currently still on 21.1.8 as I am not on-site to attempt the upgrade to 21.1.9

Did you find a solution yet? I'm faced with the same issue now that custom options are being taken away :(

Taomyn · July 28, 2021, 03:46:56 PM

No, nobody has replied yet, so I am holding off my upgrade until someone does.

Quote from: Mr.Goodcat on July 28, 2021, 03:20:06 PM
Quote from: Taomyn on July 27, 2021, 01:40:43 PM
Sorry for the noob question but trying to get ahead of the eventual upgrade to 21.7, but currently my Unbound has the following in custom:

Code Select Expand
server: do-not-query-localhost: no forward-zone: name: "." forward-addr: ::1@5353 forward-addr: 127.0.0.1@5353

It's forwarding to the DNSCrypt-Proxy service.

Will I be able to do this with 21.7 and the new standard menu? Currently still on 21.1.8 as I am not on-site to attempt the upgrade to 21.1.9

Did you find a solution yet? I'm faced with the same issue now that custom options are being taken away :(

franco · July 28, 2021, 04:09:51 PM

https://docs.opnsense.org/manual/unbound.html

chemlud · July 28, 2021, 04:11:34 PM

Quote from: franco on July 28, 2021, 04:09:51 PM
https://docs.opnsense.org/manual/unbound.html

...the relevant info starts with

Quote...
Advanced Configurations

Some installations require configuration settings that are not accessible in the UI. To support these, individual configuration files with a .conf extension can be put into the /usr/local/etc/unbound.opnsense.d directory. These files will be automatically included by the UI generated configuration. Multiple configuration files can be placed there. But note that...

Taomyn · July 28, 2021, 04:13:27 PM

Quote from: franco on July 28, 2021, 04:09:51 PM
https://docs.opnsense.org/manual/unbound.html

Thanks Franco. Now I can wait patiently for the upgrade path.

Mr.Goodcat · July 28, 2021, 05:12:01 PM

Quote from: Taomyn on July 28, 2021, 04:13:27 PM
Thanks Franco. Now I can wait patiently for the upgrade path.

This looks like a nicer option. Otherwise the custom config won't be part of the overall config file, potentially messing up restores:
https://forum.opnsense.org/index.php?topic=23941.0

Taomyn · July 28, 2021, 05:32:36 PM

Quote from: Mr.Goodcat on July 28, 2021, 05:12:01 PM
This looks like a nicer option. Otherwise the custom config won't be part of the overall config file, potentially messing up restores:
https://forum.opnsense.org/index.php?topic=23941.0

Yes saw that as well, so will likely switch to it once I'm on 21.7

Taomyn · July 28, 2021, 06:06:59 PM

Well, neither method on that documentation page seems to work so either I did it wrong after triple checking or it too is for 21.7 only. Using the template method got me the incredibly useful message "ERR", then tried to copy a new conf file and on the check it just said "Action not found. Oh and "/usr/local/etc/unbound.opnsense.d" does not exist either - I tried copying my conf file to "/usr/local/etc/unbound" which was present.

So when I upgrade I will have to hope I can still access my firewall's web interface so I can fix it, and if past experience is anything to go by, I probably won't be able to. We'll have to see.

chemlud · July 28, 2021, 06:33:13 PM

The custom field from the community repo can only be installed on 21.7, as in 21.1 it's still in the basic system ;-)

Remove your custom settings in the unbound GUI field and get back to "normal" DNS as resolver. Or switch to DNSmasq for the update. Check that our DNS is working. Go to 21.7 and then install the plugin for the custom field. Or copy your additional info to the new directory.

But I don't know your complete setup (DoT I guess), so YMMV...

franco · July 28, 2021, 07:59:44 PM

Er, yes, the documentation now reflects 21.7.

Cheers,
Franco

opnfwb · July 28, 2021, 08:20:51 PM

Just want to say thanks to Franco and team! I just use a basic Unbound DoT forwarding config (as I suspect most do for DoT?) and the new 21.7 DoT features are working great.

Code Select

 cat /var/unbound/etc/dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 9.9.9.9@853#dns.quad9.net
  forward-addr: 149.112.112.112@853#dns.quad9.net
  forward-addr: 2620:fe::fe@853#dns.quad9.net
  forward-addr: 2620:fe::9@853#dns.quad9.net

ilikenwf · July 30, 2021, 09:41:10 PM

Even if we had a dumbed down version of the box, it would be nice to have a way to add always_nxdomain entries for a few really enormously bad domains I block entirely, as well as their subdomains.

One example is online-metrix.net which is a port scanner, on all subdomains - the same one used by ebay. It exploits websockets to do this.

Code Select

server:
local-zone: "online-metrix.net" always_nxdomain

I'll do the custom config file route for now but just wondering if anyone has a better way of doing this - nxdomain is my favorite though for blocking all subdomains and the parent domain as well.

Nekromantik · July 31, 2021, 01:30:31 PM

Development version for me is unstable.
After enabling DoT the router works for 5 mins and then stops working.
No network access and its like the whole OS crashes as none of my devices wired or wireless get DHCP or connectivity. Only way to access the firewall is to plug keyboard and monitor to it.
Now I have to clean install. Thankfully I keep cloud backups of config!

Why is custom options for Unbound removed in 21.7 ?

chemlud

July 28, 2021, 10:40:23 AM #45

chemlud

July 28, 2021, 02:37:49 PM #46

Mr.Goodcat

July 28, 2021, 03:20:06 PM #47

Taomyn

July 28, 2021, 03:46:56 PM #48

franco

July 28, 2021, 04:09:51 PM #49

chemlud

July 28, 2021, 04:11:34 PM #50

Taomyn

July 28, 2021, 04:13:27 PM #51

Mr.Goodcat

July 28, 2021, 05:12:01 PM #52

Taomyn

July 28, 2021, 05:32:36 PM #53

Taomyn

July 28, 2021, 06:06:59 PM #54

chemlud

July 28, 2021, 06:33:13 PM #55 Last Edit: July 28, 2021, 06:36:22 PM by chemlud

franco

July 28, 2021, 07:59:44 PM #56

opnfwb

July 28, 2021, 08:20:51 PM #57

ilikenwf

July 30, 2021, 09:41:10 PM #58 Last Edit: July 30, 2021, 09:50:30 PM by ilikenwf

Nekromantik

July 31, 2021, 01:30:31 PM #59