DNS issues since 23.1.6

[stuffu]

I don't know where to start and I might have the wrong conclusions.

All was fine until I updated to 23.1.6, after that I have no internet access. It might be unrelated but it seems like an odd coincidence.

It looks in the reports that there is a WAN connection and I have been able to do a speed test. Tried to connect a laptop to the router directly and I still have no remote access and that leads me to DNS issues.

Checked the Unbound DNS report and quad9 reports NOERROR (though I can't recall that I used quad9, where can I change DNS service?)

Edit: I managed to narrow it down. Disabling the adguard port forwarding rule and all is fine. Not sure what broke it though.

[franco]

Adguard plugin isn't ready for 23.1.6. If it was included in our plugins it would have been fixed already, but it's not available from us.

https://github.com/opnsense/core/issues/6513


Cheers,
Franco

[marunjar]

Same here. i just updated to 23.1.6 and dns names cannot be resolved any more.

i have adguard installed from mimugmail community repo, listening on port 53
adguard uses unbound as upstream dns server
unbound is running on firewall as dns resolver, listening on port 53530

From checking changelog i suspect https://github.com/opnsense/core/commit/9f6df9e5f3057ffb6759e151d7e2f5084a4af33d
Not sure if adguard plugin currently provides dns_ports which is checked now

Anybody can confirm this?

Edit: franco was a little faster, thx

[franco]

Yes that is what I said. Previously the system considered Unbound or Dnsmasq being enabled port 53 which was wrong if that wasn't actually the port being used... so it was good for Adgurad running on port 53 as long as either service was enabled.

The cleanup/feature here is that adguard can now work as standalone as well as bind or dnscrypt-proxy WITHOUT a running unbound or dnsmasq, but in order for this to work it needs to communicate which port it uses and only port 53 is eligible for a core DNS provider...


Cheers,
Franco

[Dotzi]

Hi all, in my case Adguard Home works fine.

Right after updating to 23.1.6. all my devices lost internet access. Reverting to 23.1.5 didn't solve the problem.

I investigated the issue and found that for whatever reason my DNS port forwarding rules had been changed. I changed them back to what they were before, updated back to 23.1.6 and that seemed to fix it.

[stuffu]

There seems to be some other weird issues, I briefly had WAN access when disabling adguard but then lost it again. Tried to use the system name servers instead and got it back.

I disabled it again and using DNS over TLS with 853 as port and it seems to work.

When browsing through the settings I found something I don't know where it came from. anyone got an idea where to remove the quad9 dns listed under system name servers? System/Settings/General just have 1.1.1.1 when testing to get DNS back up.

[stuffu]

I'm hijacking my own post, sorry :)

I figured out the odd DNS that I got fram name servers was due to this setting:

"Allow DNS server list to be overridden by DHCP/PPP on WAN"

Any drawbacks disabling it?

[franco]

There is no direct drawback. Some ISPs seem to hinder using DNSSEC or try to manipulate plain DNS responses, but these cases are rare.

I'd try the option and see if it works. Normally it should.


Cheers,
Franco

[stuffu]

Thanks for the quick reply. I guess we are all sorted then. Just have to live with ads for a while but that's not a big issue really.

[franco]

I'll poke Michael about the Adguard plugin fix and see if he needs any help there.


Cheers,
Franco

[seebaer1976]

also have the problem.

it can't be adguardhome.

think rather that it could be a problem with the DHCP server.  because all devices that get their IP via the DHCP server have no Internet.  all devices with a static IP have internet.

[Patrick M. Hausen]

I have

- BIND listening on port 53
- AdGuard Home listening on port 5353 forwarding to 127.0.0.1:53
- Port forward NAT rules on all interfaces directing DNS queries to either AdGuard Home or directly to BIND bypassing AdGuard Home

No problem with the update.

[newsense]

I'm with Patrick on this one, similar setup yet simpler:


- AdguardHome installed from Michael's repo and up to date - running on 5353
- Port forward NAT rules on all interfaces directing DNS queries to AdGuardHome
- AdGuardHome handles the DoH/DoT

Running without issues on multiple firewalls for more than 6 months and not affected by any updates so far.

[marunjar]

Of course this is working, that's a different configuration with adguard *not* listening on port 53
With proper NAT rules ports may be changed as workaround too.

But for adguard listening on port 53 there is still something missing, as franco said:

The cleanup/feature here is that adguard can now work as standalone as well as bind or dnscrypt-proxy WITHOUT a running unbound or dnsmasq, but in order for this to work it needs to communicate which port it uses and only port 53 is eligible for a core DNS provider...

[franco]

Yes, this only happens on setups where port 53 is populated by something other than Unbound or Dnsmasq while one or both of them is enabled on another port. As I said the code assumed port 53 works, but it was never validated. Now it's validated not just for Unbound and Dnsmasq but also BIND and Dnscrypt-Proxy, but the downside is that any other DNS provider plugin needs to make itself known to the GUI.

Consider this as being always problematic when you disabled Unbound and Dnsmasq and wanted to run something else on port 53. In those cases the configuration (correctly) assumed that nothing known was providing DNS so it would not send out DNS information via DHCP.


Cheers,
Franco