Author Topic: No Unbound replies on new interface (Read 1037 times)

chemlud · « **on:** October 03, 2023, 07:23:02 pm »

Hi!

Installed a fresh 23.7, all up-to-date and imported my working config for DNS-over-TLS with unbound. All fine.

I configured a new interface, DHCP works, set up firewall rules (including block to HTPPS of opnsense and allowing ipv4 UDP to port 53 of opnsense) and added the new interface to unbound in the GUI and applied. Rebooted. According to resolve.conf on the only host attached to the new interface, the DNS ist set to the interface address of the opnsense.

With package capture on port 53 of the new opnsense interface I see the requests of the host, but there is no reply at all from unbound.

With "inspect" on the FW-rules page of the new interface I see no evaluation of the FW-rule allowing UDP to port 53 of the opnsense?!?! The only rule hit is the first on the page, no matter which rule this is...

Any ideas?

newsense · « **Reply #1 on:** October 04, 2023, 12:25:09 am »

Check in Unbound settings if it's listening on the new interface

chemlud · « **Reply #2 on:** October 04, 2023, 08:40:49 am »

Quote

...and added the new interface to unbound in the GUI and applied. Rebooted. ...

So: Yes...

But there is no reply.

chemlud · « **Reply #3 on:** October 04, 2023, 09:27:52 am »

As I wrote above: Apparently only the first FW-rules get's evaluated, so I moved the "allow ipv4 UDP to SERVER address (Interface of opnsense for the new network) port 53" rule to the first position. And started "apt update" on the client attached to this interface. No resolution of repo names on the client. But according to "Inspect" on FW-Tab the first rule (allow DNS to sense) gets evaluated some hundred times, but 0 (zero) States, Packages, Bytes going back and forth.

What is going on here? This should be absolutely basic stuff, I have never seen something like that in over 10 years of *sense....

PS: Although NTP is also allowed on this new interface (to specific server), it apparently doesn't work either. So: not a problem with unbound, but pf?

Disables "Static ARP" (why?) and rebooted. Traffic started flowing...

CJ · « **Reply #4 on:** October 04, 2023, 02:57:33 pm »

Are you asking why disabling Static ARP makes things work or why it was checked in the first place?

chemlud · « **Reply #5 on:** October 05, 2023, 02:52:07 pm »

neither. I use static ARP on nearly all interfaces and usually it works. No idea why disabling and enabling it afterwards made it work this time for the new interface...

Solved anyway.

Author Topic: No Unbound replies on new interface (Read 1037 times)

chemlud

No Unbound replies on new interface

newsense

Re: No Unbound replies on new interface

chemlud

Re: No Unbound replies on new interface

chemlud

Resolved: No Unbound replies on new interface

CJ

Re: No Unbound replies on new interface

chemlud

Re: No Unbound replies on new interface