How to Configure DNS in Opnsense With Unbound and W/Unbound

[mush2020]

Do you wish to use AGH in this setup?  If yes, then 853 and your DNS service need to be setup in AGH not Unbound.   If you are using Unbound then yes of course you need to set that up.
[/quote]

I want to use Unbound + AGH.
In AGH
upstream DNS servers
192.168.50.254:5353(Opnsense LAN)
192.168.10.254:5353 (Wifi Interface)

parallel requests

bootstrap dns servers
192.168.50.254:5353(Opnsense LAN )
192.168.10.254:5353 (Wifi Interface)

private reverse dns servers
192.168.10.254:5353 (Wifi Interface)
192.168.50.254:5353(Opnsense LAN )


The only issue i have now is DNS not working if AGH protection enabled.

Any further troubleshooting lead?

[mush2020]

Your query is it for Opnsense or Unbound or AGH setting. I will have look
By the way in Opnsense i have setup hostname and domain
In Unbound  DNS Query Forwarding is unchecked

[mush2020]

I'm sorry, i got your point. There are no nameservers added in Opnsense System|Settings|General.
As i wanted to use Unbound as resolver.

Also these are unchecked
 Allow DNS server list to be overridden by DHCP/PPP on WAN
 Do not use the local DNS service as a nameserver for this system

In Unbound this is unchecked
Enable Forwarding Mode

[Superduke]

Ok, I think I know what you want now.  Just to summarize...you want Unbound to do your resolving locally on your OPNSense server and use AGH as a blockfilter....that's what I have by the way.

If that's the case, then

1) There is no reason to have NAT port forwarding or special rules set.
2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)
3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.

Did you try the test button in AGH?

Also...did you try different configs of safe search and secure web service being checked and unchecked?  Try both unchecked first and see if that helps.

Another thing to look at is if you also have Suricata running....shouldn't matter but try disabling that too to see if it might be blocking something unnecessarily.

Do you wish to use AGH in this setup?  If yes, then 853 and your DNS service need to be setup in AGH not Unbound.   If you are using Unbound then yes of course you need to set that up.

I want to use Unbound + AGH.
In AGH
upstream DNS servers
192.168.50.254:5353(Opnsense LAN)
192.168.10.254:5353 (Wifi Interface)

parallel requests

bootstrap dns servers
192.168.50.254:5353(Opnsense LAN )
192.168.10.254:5353 (Wifi Interface)

private reverse dns servers
192.168.10.254:5353 (Wifi Interface)
192.168.50.254:5353(Opnsense LAN )


The only issue i have now is DNS not working if AGH protection enabled.

Any further troubleshooting lead?
[/quote]

[mush2020]

1) There is no reason to have NAT port forwarding or special rules set.

I will test all the NAT rules later if AGH is working. I hope no host will use their own DNS addresses.

2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)

I will test with new port, but I'm sure i'm not using 5353 elsewhere.

3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.

WiFi is not VLAN. its physcially connected from Opnsense to WiFi AP port (see attached)

Did you try the test button in AGH?

Yes all tests are successful

Also...did you try different configs of safe search and secure web service being checked and unchecked?  Try both unchecked first and see if that helps.

See attached AGH current settings. With these options checked all ok. As soon as i enable (highlighted in attachment) web service protection internet doesn't work. I have tried enabling both same time and each also.

IPS is disabled

Where are AGH logs to check why DNS requests are failing with these 2 web service features

[Superduke]

Minor things but I have my upstream DNS server set to load balance....

And I don't have any address in the private reverse DNS lookup box; although you putting your OPNsense IP shouldn't matter....

this is weird.....sorry I can't help more....

[Superduke]

Check this out....this is where I went to set mine up....

https://forum.opnsense.org/index.php?topic=22162.msg107450#msg107450

1) There is no reason to have NAT port forwarding or special rules set.

I will test all the NAT rules later if AGH is working. I hope no host will use their own DNS addresses.

2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)

I will test with new port, but I'm sure i'm not using 5353 elsewhere.

3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.

WiFi is not VLAN. its physcially connected from Opnsense to WiFi AP port (see attached)

Did you try the test button in AGH?

Yes all tests are successful

Also...did you try different configs of safe search and secure web service being checked and unchecked?  Try both unchecked first and see if that helps.

See attached AGH current settings. With these options checked all ok. As soon as i enable (highlighted in attachment) web service protection internet doesn't work. I have tried enabling both same time and each also.

IPS is disabled

Where are AGH logs to check why DNS requests are failing with these 2 web service features

[mush2020]

Thanks for assisting.
I've gone through the shared post.
Everything looks ok as per setup guide.
But I haven't come across anyone reporting the web service protection issue which i'm facing.
Is AGH all features are free or is there anything to do with commercials
Where i can share this issue, if there is no further help from Opnsense forum.

[cookiemonster]

I didn't get to see the activity. Are you up and running now?
I don't use web service protection in AGH but from a quick online search scan it might need to communicate with an adguard domain to work. I don't believe it needs to be paid for. How is that is not working?
We could maybe help by pointing where to look but otherwise maybe a question for the AGH people.

[mush2020]

Yes I'm working now.
I'm confused is it i need to add AGH DNS DOT IPs in  Unbound DNS over TLS or in AGH DNS Upstream.
Right now working settings are
In Unbound i have added Cleanbrowsing IPs over 853
In AGH Upstream I have added Opnsense IP over 8383
I just tried to test y enabling parental control and safe browsing. Internet stopped working.
I unchecked, Internet is working.

From AGH yaml current config.

filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: true
  safebrowsing_enabled: false

[cookiemonster]

Without trying to sound condescending, it's easier to follow the flow with ip:port. What ip:port is entered in an app/sytem setting, is where the traffic is going to unless you are configuring the service listening. Port 53 is plain dns ie. unencrypted. Protocol is normally udp but can be tcp. Put that aside for now.
Port 853 has been designated for DoT so it is expected to be encrypted with TLS, so it needs a successful TLS setup, certificates, etc. Put that aside for now next to the port 53 info.
So you can start building your answer.

I'm confused is it i need to add AGH DNS DOT IPs in  Unbound DNS over TLS or in AGH DNS Upstream.
Right now working settings are
In Unbound i have added Cleanbrowsing IPs over 853
In AGH Upstream I have added Opnsense IP over 8383

On the working settings Unbound is sending DoT traffic to Cleanbrowsing (whatever that is) on the correct port.
AGH is sending the traffic to OPN on port 8383. So the flow looks like this:
    client (?) --> AGH (port?) --> Unbound-OPN:8383 --> cleanbrowsing:853

Makes sense?

[Superduke]

I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....

[mush2020]

@cookiemonstor thanks,
Here is my Adguard yaml file.
I have just removed password string and modified domain name.
This working config. You will see that below
parental_enabled: false
safesearch_enabled: true
safebrowsing_enabled: false

No issues with Internet. The issue occurs if either of is true parental_enabled and/or safebrowsing_enabled.
So i'm trying to understand is it related to Undbound DNS over TLS or is it as you mentioned IP:Port used in AGH, but below its 53 for DNS and In Unbound i have set to 8383

Is there any AGH port issue or Unbound Issue

bind_host: 0.0.0.0
bind_port: 8443
beta_bind_port: 0
users:
- name: root
  password: ----Removed------
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
  - 0.0.0.0
  port: 53
  statistics_interval: 30
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 720h
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
  - 192.168.50.254:8383
  upstream_dns_file: ""
  bootstrap_dns:
  - 192.168.50.254:8383
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
  - version.bind
  - id.server
  - hostname.bind
  trusted_proxies:
  - 127.0.0.0/8
  - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet: false
  max_goroutines: 300
  ipset: []
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: true
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services:
  - 9gag
  upstream_timeout: 10s
  local_domain_name: mydomain.com
  resolve_clients: true
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
  - 192.168.50.254:8383
tls:
  enabled: true
  server_name: fw.mydomain.com
  force_https: true
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 784
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  strict_sni_check: false
  certificate_chain: ""
  private_key: ""
  certificate_path: /var/etc/acme-client/home/fw.mydomain.com/fullchain.cer
  private_key_path: /var/etc/acme-client/home/fw.mydomain.com/fw.mydomain.com.key
filters:
- enabled: true
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard DNS filter
  id: 1
- enabled: true
  url: https://adaway.org/hosts.txt
  name: AdAway Default Blocklist
  id: 2
whitelist_filters: []
user_rules:
- ' - https://hosts.netlify.app/Pro/adblock.txt'
- ' - https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt'
- ' - https://block.energized.pro/ultimate/formats/hosts.txt'
- ' - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt'
- ' - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'
- ' - https://hosts.oisd.nl/'
- ""
dhcp:
  enabled: false
  interface_name: ""
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 12

[mush2020]

I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....

What will be the settings if Unbound is disabled. No more DOT IP used i.e. cleanbrowsing
Opnsense +AGH only
In this case how Opnsense will forward the DNS request. There should be DNS server somewhere.

[Superduke]

Apologies...I likely wasn't clear...you surely need a resolver of some kind...but Unbound with AGH gets you the resolving and blocking/filtering/control you want without cleanbrowsing in the loop....

And since both services are local to you, the whole DoT thing becomes irrelevant.

I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....

What will be the settings if Unbound is disabled. No more DOT IP used i.e. cleanbrowsing
Opnsense +AGH only
In this case how Opnsense will forward the DNS request. There should be DNS server somewhere.