New OPNsense installation - Unbound can't resolve

[guest40390]

Hi there,

OPNsense is relatively new to me and I have set up my first OPNsense firewall in the last few days. So far everything works very well, but I still have a problem with DNS/Unbound:

I have installed AdGuard Home:
Upstream / Bootstrap / Private Reserve Server is: 127.0.0.1:5335

Unbound DNS Settings:
- Enable Unbound: Check
- Listen Port: 5335
- Network Interfaces: All
- Enable DNSSEC Support: Check
- Register DHCP Leases: Check
- Register DHCP Static Mappings: Check
- Outgoing Network Interfaces: WAN

System-General Settings:
- Prefer IPv4 over IPv6: Unchecked
- DNS servers: 8.8.8.8 / 9.9.9.9 / 1.1.1.1
- DNS server options: both unchecked

With this settings ... DNS just not resolve anything.
And the "System: Firmware - Status" Page don't work either.

If i check "Do not use the local DNS service as a nameserver for this system", the Firmware - Status Page work again normally.

In order for AdGuard - and thus also the DNS on all clients - to work, I have to check the setting: "Query Forwarding - Use System Nameservers" in Unbound DNS.
With this, DNS in the home network works without problems - but is still quite slow.

In my opinion, DNS should also work without the system nameservers - then Unbound would have to query the root servers itself. Do you have any idea why this does not work here? I have already tried various settings, but nothing has worked.

Thanks already in advance!

[newsense]

There's no reason to move Unbound from 53. No need for system servers either, a couple DoT servers will suffice.


A single port forward rule can take all DNS traffic and redirect it to AGH

[guest40390]

There's no reason to move Unbound from 53. No need for system servers either, a couple DoT servers will suffice.


A single port forward rule can take all DNS traffic and redirect it to AGH

Hi!
The problem is, even before I installed AGH and Unbound was enabled normally on port 53, Unbound itself did not resolve anything at all. Only when I forwarded the queries to the system nameservers.

I thought Unbound was configured by default so all you had to do was turn it on. Or is there something more that needs to be configured there for it to even work fundamentally?

[newsense]

You either choose your upstream servers or use the ones provided by the ISP.

Unbound has no preset upstreams by default

[guest40390]

You either choose your upstream servers or use the ones provided by the ISP.

Unbound has no preset upstreams by default

Unbound normally sends requests directly to the root nameservers, so you don't have to use "third party" nameservers. That is the reason to use Unbound. Isn't it?

And Unbound should work even if I don't have "Query Forwarding - Use System Nameservers" checked?

[guest40390]

More Info:
I can even see in the Firewall Logs, that there are connections to IPs of different root-nameservers with port 53 pass through.
So Unbound really seems to reach the root-nameservers as expected. But still no DNS-Resolution for OPNsense itself or a client, if i try to use unbound without forwarding the queries to 8.8.8.8 or something like that.

EDIT:
When i setup DNS over TLS Custom Forwarding (to 1.1.1.1 on port 853) .. It work's!
If i disable it, it's stop working again. Outgoing Port 53 for the root-nameservers work's fine.

What can there be the issue?

[cookiemonster]

this should help https://homenetworkguy.com/how-to/confused-about-dns-configuration-in-opnsense/