DNS issues since 23.1.6

[opn_nwo]

If I have AdGuard configured to use a dedicated VIP on port 53, forwarding queries to Unbound on 127.0.0.1:53, will this update break it?

[Patrick M. Hausen]

@opn_nwo: I don't know. But the update does not break DHCP or anything else. What it does break is the automatic detection of suitable DNS server setting for a DHCP pool. So should anyone get hit by this new, much better documented and much cleaner, behaviour, then simply ecplicitly set the DNS server in your DHCP pool configuration and you will be just fine.

Therefore I also doubt this will be considered a bug. Possibly the documentation can use some more clarification, but that's it, IMHO.

[stuffu]

double post

[Videopac]

Well, I still have issues with my TV VLAN. Since the update to 23.1.6 my stb is not working anymore.
I had not specified a DNS server on this VLAN, however: if I add one it is still not working.
ISP is KPN in the Netherlands.

[Mario_Rossi]

Ciao, anche io ho ADGuard in ascolto sulla 53 che gira su unbound:5353.
Le regole FW e NAT obbligano tutti i client a passare per forza su ADGuard:53 per qualsiasi tipo di richiesta DNS.
Ieri sera ho aggiornato OPNsense ed oggi mi sono trovato con i pc offline. In realtà telegram funziona ed anche i ping verso indirizzi esterni che conosco.

Grazie al post di pmhausen sono andato in Service->DHCPv4->LAN e popolato il campo DNS Server (era vuoto) con l'ip di OPNsense e subito ha iniziato a funzionare tutto correttamente.


Hi, I also have ADGuard listening on 53 which rotates on unbound:5353.
FW and NAT rules force all clients to go to ADGuard:53 for any type of DNS request.
Last night I updated OPNsense and today my clients are offline. Telegram really works and also pings to external ip addresses that I know.

Thanks to pmhausen's post I went to Service->DHCPv4->LAN and populated the DNS Server field (it was empty) with the OPNsense ip and immediately everything started working correctly.

[stuffu]

It just died on me again. I'm using port 853 on DNS over TLS as default. Tried to use a dedicated name server instead and it still didn't work. Enabling DNS over TLS again and it works as normal. The funny thing here is that I have used the same setup (only difference from earlier setup was adguard running on port 5353) for 12 hours without a problem and all units just now suddenly got cut off.

Edit: Hope I didn't to something very wrong. Renamed the post since it doesn't just have to do with adguard.

[Patrick M. Hausen]

Well, I still have issues with my TV VLAN. Since the update to 23.1.6 my stb is not working anymore.
I had not specified a DNS server on this VLAN, however: if I add one it is still not working.
ISP is KPN in the Netherlands.

After you added one, did you restart all the client systems? You did add the interface address of your OPNsense in that particular VLAN as the DNS server in DHCP?

[Videopac]

Yes, I restarted the client (stb). DNS IP's I tried: 196.168.1.1 (=OPNsense), 1.1.1.2/1.0.0.2 and 195.121.1.34/195.121.1.66. The latter two I also tried with only 1 DNS entry (the first mentioned).

[Patrick M. Hausen]

OPNsense in that particular VLAN is what DHCP would have handed out before the update. So if you set that and only that explicitly, IMHO your network must work.

@franco?

[franco]

I must admit I can't follow this very well. The simple fact is that the DNS service of your choice should bind to both 0.0.0.0 AND :: on port 53 for this to work reliably. Deviating in the form of selecting special interfaces "to listen" or using port forwards to undo some of this makes it so much harder to debug.

My advice is to wait for Michael to fix the Adguard plugin. 23.1.5 *has* to work, otherwise you look at some other misconfiguration that was bound to make itself known at an inconvenient time as it mostly does.


Cheers,
Franco

[Patrick M. Hausen]

@franco You don't agree that simply setting the DNS server explicitly for DHCP should fix things, too?

[franco]

Well, in theory I agree...but... DHCPv4 server not handing out a DNS server is only the most obvious issue. The same check for a DNS server is used for DHCPv6 server and router advertisements (manual and auto) as well as internal DNS resolution so other types of weird behaviour could be the result leading to unsatisfactory workarounds.


Cheers,
Franco

[cookiemonster]

In case it helps troubleshoot (I'm still on 22.7.x).
$ sudo nmap --script broadcast-dhcp-discover
can be used to query the dhcp server's response.

[Patrick M. Hausen]

Well, in theory I agree...but... DHCPv4 server not handing out a DNS server is only the most obvious issue. The same check for a DNS server is used for DHCPv6 server and router advertisements (manual and auto) as well as internal DNS resolution so other types of weird behaviour could be the result leading to unsatisfactory workarounds.

Understood, thanks. I always set "Do not use the local DNS service as a nameserver for this system" and explicitly configure 127.0.0.1, because I don't like this kind of magic. All configuration should be explicit.

[yeraycito]

Opnsense 23.1.6 does not work with Adguard. If I set the dns in Adguard without going through Unbound there is no internet connection. If I configure Adguard with dns 127.0.0.1 through Unbound it doesn't work either. Disabling Adguard and leaving the dns connections only through Unbound there are no connectivity problems.