OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.7 Legacy Series »
  • Failing DNS services
« previous next »
  • Print
Pages: [1]

Author Topic: Failing DNS services  (Read 1045 times)

JL

  • Newbie
  • *
  • Posts: 42
  • Karma: 1
    • View Profile
    • commandline services
Failing DNS services
« on: December 31, 2022, 03:39:58 pm »
While on older opnsense the 'intrusion detection service' frequently crashed, after the upgrade to 22.7 there are new issues, now it are the DNS services crashing ... which worked fine with older opnsense releases.

There are no apparent log entries indicating the reasons why for the DNS service crashes, using unbound+dnscrypt+bind
To my surprise all three service go down simultaneously. As I've noticed at least one succesful (likely) DNS spoofing attempt I'm not confident these crashes are benign.
Logged

newsense

  • Hero Member
  • *****
  • Posts: 1037
  • Karma: 77
    • View Profile
Re: Failing DNS services
« Reply #1 on: December 31, 2022, 07:11:02 pm »
If DNScrypt is a must, use the latest version in a docker container. The one in OPNsense is quite old, unsure where the issue is there but I wouldn't use it on the internet until it is upgraded to current.

Bind -- zone management on the FW wouldn't be my first choice.

For anything else Unbound is more than fit for the job, and latest version as well.


Removing one or two if possible from the chain would help you narrow down the DNS issues.

Logged

JL

  • Newbie
  • *
  • Posts: 42
  • Karma: 1
    • View Profile
    • commandline services
Re: Failing DNS services
« Reply #2 on: January 03, 2023, 08:13:10 pm »
Quote from: newsense on December 31, 2022, 07:11:02 pm
If DNScrypt is a must, use the latest version in a docker container. The one in OPNsense is quite old, unsure where the issue is there but I wouldn't use it on the internet until it is upgraded to current.

Bind -- zone management on the FW wouldn't be my first choice.

For anything else Unbound is more than fit for the job, and latest version as well.


Removing one or two if possible from the chain would help you narrow down the DNS issues.

Thanks, to me these are DoS issues caused by unknown origin.

It is interesting you mention dnscrypt is outdated, i'll check, thanks. Personally, i stay away from Docker, don't like it for no tangible reason. It is bad IT to me.

I disagree Unbound is adequate, it is not a very stable service.
I disagree running zone mgmt on a firewall should not be first choice, if a firewall cannot stay up or stay intact, little use for it.

Logged

Frostbite8289

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Failing DNS services
« Reply #3 on: January 04, 2023, 04:54:56 pm »
Logically I would not expect two different DNS servers to work at that same time on that same server/firewall but I haven't tried it on OPNSense. I would expect DNSCrypt and one DNS server to work.
Unbound was crashing on its own for me so I had to turn that off and use other DNS servers.
Clearly it would be nice if this got fixed but I have no delusions of having all services on my firewall.
Having two other DNS servers (or one if that works for you) your firewall uses works just fine for now.
It does not block OPNSense use.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.7 Legacy Series »
  • Failing DNS services
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2