DNS issues - only on opnsense host

[Jay10]

Hi All,

New to opnsense so I'm confident I have a setting wrong somewhere and have googled quite extensively to try and figure out the issue. I have found similar threads to my situation, but they seem to have either died off or been magically resolved with some setting the OP can't remember.

After setting up opnsense I decided to install adguard (on the opnsense host itself) - the same as I was previously doing on openwrt before switching over.

OPNsense Versions:

OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

Package Versions:

Code Select Expand

Adguard Home v0.107.25 - installed from mimugmail's repo "os-adguardhome-maxit" v1.8
Unbound v1.17.1_2


I believe the way I have setup things the flow should work like this:
LAN Clients -> Adguard (10.0.0.1:53) -> Unbound (10.0.0.1:5553) -> Upstream Servers (Unbound DNS over TLS)

When trying to update in GUI I am given this output -

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.1.1_2 at Thu Feb 23 23:22:38 GMT 2023
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.pkg: No address record
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/23.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: No address record
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: No address record
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: No address record
Unable to update repository mimugmail
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***


Obviously this leads me to believe it is a DNS issue, so I tried to resolve "pkg.opnsense.org" in Interfaces > Diagnostics > DNS Lookup -

Code Select Expand

Hostname:pkg.opnsense.org
Server:

Result -

Query failure
Error: error sending query: Could not send or receive, because of network error


So I repeated the test only this time specifying 10.0.0.1 as the server (presumably port 53) -

Code Select Expand

Hostname:pkg.opnsense.org
Server:10.0.0.1

Result -
Type:A
Answer:pkg.opnsense.org. 30 IN A 89.149.211.205
Server:10.0.0.1
Query time: 0 msec

Type:AAAA
Answer:pkg.opnsense.org. 340 IN AAAA 2001:1af8:4f00:a005:5::
Server:10.0.0.1
Query time: 22 msec



With the above... I am sure something needs changing to get OPNsense communicating correctly, but I am unsure what to do.


A few settings that might be applicable:

System > Settings > General:
Networking:

Code Select Expand

Prefer IPv4 over IPv6:✘
DNS Servers:none
Allow DNS server list to be overridden by DHCP/PPP on WAN:✘
Do not use the local DNS service as a nameserver for this system:✘


Services > Unbound DNS > General:

Code Select Expand

Enable Unbound:✓
Listen Port:5553
Network Interfaces:LAN,WAN
Enable DNSSEC Support:✓
Outgoing Network Interfaces:All

Services > Unbound DNS > DNS over TLS:

Code Select Expand

Server:9.9.9.9
Port:853
Verify CN:dns.quad9.net

Server:149.112.112.112
Port:853
Verify CN:dns.quad9.net

Server:1.1.1.1
Port:853
Verify CN:cloudflare-dns.com

Server:1.0.0.1
Port:853
Verify CN:cloudflare-dns.com

Services > Adguard Home > General:
Enable:✓

Adguard settings:

Code Select Expand

Upstream DNS Servers:
127.0.0.1:5553

Bootstrap DNS Servers:
127.0.0.1:5553

Private reverse DNS Servers:
127.0.0.1:5553

Use private reverse DNS resolvers:✓
Enable reverse resolving of clients' IP addresses:✓
Enable DNSSEC:✓




is anyone able to shed some light on the situation or have any ideas? Would also appreciate any suggestions if theres a better way to do things.

Apologies for the long post, but I figure it's probably very frustrating when people come with issues & no info.

[zan]

What does the /etc/resolv.conf tell you?

[Jay10]

Hi Zan,

Thanks for your reponse  :)

Code Select Expand

root@OPNsense:~ # cat /etc/resolv.conf
domain home.arpa
nameserver 127.0.0.1
search home.arpa

so presumably it's looking to resolve to itself @ 127.0.0.1:53

Unbound is running @ 127.0.0.1:5553 (10.0.0.1:5553) & adguard @ 10.0.0.1:53

[zan]

Looks normal.
Possibly ACL problem like Unbound/Adguard not accepting query from loopback
Can you try "drill google.com @127.0.0.1 -p 5553"
If it works then you should check Adguard's ACL to allow query from 127.0.0.1 or loopback adapter

[cookiemonster]

What is your OPN LAN ip address?

[Jay10]

Looks normal.
Possibly ACL problem like Unbound/Adguard not accepting query from loopback
Can you try "drill google.com @127.0.0.1 -p 5553"
If it works then you should check Adguard's ACL to allow query from 127.0.0.1 or loopback adapter

Code Select Expand

root@OPNsense:~ # drill google.com @127.0.0.1 -p 5553
Error: error sending query: Could not send or receive, because of network error

What is your OPN LAN ip address?

10.0.0.1/24

[cookiemonster]

Do not use the local DNS service as a nameserver for this system:✘
Does that mean checked or unchecked?

[Jay10]

Unchecked

Enabled - ✓
Disabled - ✘

[cookiemonster]

I would first disable DoT in Unbound, until this is resolved. Not strictly necessary though.
It seems from the settings that this is the expected behaviour, probably can be confirmed with netstat showing there's no listener for Unbound on the loopback.
In AdGuard, change your "Upstream DNS servers" to 10.0.0.1:5553.
Same for "Bootstrap DNS servers" and "Private reverse DNS servers".

[Jay10]

If I disabled DoT upstreams there would be no upstream providers.
Would I put them in Services>Unbound>Query Forwarding or System>Settings>General>DNS Servers


Adguard Upstream/bootstrap & private reverse now set to:10.0.0.1:5553

same issue

Code Select Expand

root@OPNsense:~ # ping google.co.uk
ping: Unknown host

root@OPNsense:~ # drill google.co.uk
Error: error sending query: Could not send or receive, because of network error

[cookiemonster]

Yes good point about no upstreams if you clear out the DoT providers - I forgot my DoT upstreams go out in a different way.
Put a non-DoT one for now, say 8.8.8.8 for now and test again please.

[zan]

Try this and see if unbound is listening on the loopback:

Code Select Expand

sockstat -l | grep 'unbound\|AdGuard'

If it does, then try this:

Code Select Expand

pfctl -d
drill @localhost -p5553 google.com
pfctl -e
to make sure it is not a firewall issue.

[cookiemonster]

Do not use the local DNS service as a nameserver for this system:✘
This setting controls as per help that by default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbound is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.
Therefore if you have it disabled, the system is not using the loopback and the system has no alternative to use.
You could enable it and see it populate /etc/resolv.conf and I'm pretty sure the problem goes away.
If however you want it disabled, you'll need to give the system an alternative ie. forward to AdGuard.

[Jay10]

Try this and see if unbound is listening on the loopback:

Code Select Expand

sockstat -l | grep 'unbound\|AdGuard'

If it does, then try this:

Code Select Expand

pfctl -d
drill @localhost -p5553 google.com
pfctl -e
to make sure it is not a firewall issue.

Code Select Expand

root@OPNsense:~ # sockstat -l | grep 'unbound\|AdGuard'
unbound  unbound    57271 5  stream /tmp/php-fastcgi.socket-1
unbound  unbound    57271 8  udp4   10.0.0.1:5553         *:*
unbound  unbound    57271 9  tcp4   10.0.0.1:5553         *:*
unbound  unbound    57271 10 udp4   95.151.***.***:5553   *:*
unbound  unbound    57271 11 tcp4   95.151.***.***:5553   *:*
unbound  unbound    57271 12 udp4   127.0.0.1:5553        *:*
unbound  unbound    57271 13 tcp4   127.0.0.1:5553        *:*
unbound  unbound    57271 14 udp4   10.0.0.1:5553         *:*
unbound  unbound    57271 15 tcp4   10.0.0.1:5553         *:*
unbound  unbound    57271 16 udp4   95.151.***.***:5553   *:*
unbound  unbound    57271 17 tcp4   95.151.***.***:5553   *:*
unbound  unbound    57271 18 udp4   127.0.0.1:5553        *:*
unbound  unbound    57271 19 tcp4   127.0.0.1:5553        *:*
unbound  unbound    57271 20 udp4   10.0.0.1:5553         *:*
unbound  unbound    57271 21 tcp4   10.0.0.1:5553         *:*
unbound  unbound    57271 22 udp4   95.151.***.***:5553   *:*
unbound  unbound    57271 23 tcp4   95.151.***.***:5553   *:*
unbound  unbound    57271 24 udp4   127.0.0.1:5553        *:*
unbound  unbound    57271 25 tcp4   127.0.0.1:5553        *:*
unbound  unbound    57271 26 udp4   10.0.0.1:5553         *:*
unbound  unbound    57271 27 tcp4   10.0.0.1:5553         *:*
unbound  unbound    57271 28 udp4   95.151.***.***:5553   *:*
unbound  unbound    57271 29 tcp4   95.151.***.***:5553   *:*
unbound  unbound    57271 30 udp4   127.0.0.1:5553        *:*
unbound  unbound    57271 31 tcp4   127.0.0.1:5553        *:*
unbound  unbound    57271 32 tcp4   127.0.0.1:953         *:*
root     AdGuardHom 61200 13 udp4   10.0.0.1:53           *:*
root     AdGuardHom 61200 14 tcp4   10.0.0.1:53           *:*
root     AdGuardHom 61200 21 tcp4   10.0.0.1:8080         *:*
root     syslog-ng  19509 22 dgram  /var/unbound/var/run/log

95.151.***.*** is my Ext WAN IP - I removed the last 6 digits.

Code Select Expand

root@OPNsense:~ # pfctl -d
localhost -p5553 google.com
pfctl -epf disabled
root@OPNsense:~ # drill @localhost -p5553 google.com
Error: error sending query: Could not send or receive, because of network error
root@OPNsense:~ # pfctl -e
pf enabled

Before issuing the 'pfctl -e' above I was unable to browse the net from a LAN client - not sure if thats important.

[Jay10]

Yes good point about no upstreams if you clear out the DoT providers - I forgot my DoT upstreams go out in a different way.
Put a non-DoT one for now, say 8.8.8.8 for now and test again please.

I disabled upstreams under Services>Unbound DNS>DNS over TLS.
And enabled them under Services>Unbound DNS>Query Forwarding.
IP:8.8.8.8
Port:53
IP:1.1.1.1
Port:53

Still the same results im afraid:

Code Select Expand

root@OPNsense:~ # ping google.co.uk
ping: Unknown host
root@OPNsense:~ # drill google.co.uk
Error: error sending query: Could not send or receive, because of network error


Do not use the local DNS service as a nameserver for this system:✘
This setting controls as per help that by default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbound is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.
Therefore if you have it disabled, the system is not using the loopback and the system has no alternative to use.
You could enable it and see it populate /etc/resolv.conf and I'm pretty sure the problem goes away.
If however you want it disabled, you'll need to give the system an alternative ie. forward to AdGuard.

Before ticking the above option:

Code Select Expand

root@OPNsense:~ # cat /etc/resolv.conf
domain home.arpa
nameserver 127.0.0.1
search home.arpa

After ticking the above option:

Code Select Expand

root@OPNsense:~ # cat /etc/resolv.conf
domain home.arpa
search home.arpa