DNS weirdness - Unbound DNS

Started by gafrol, October 31, 2023, 03:13:04 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 31, 2023, 03:13:04 PM
I am puzzled. A DNS request for servers.rmnoise.com returns IP address 100.64.3.4 while the real IP addresses are 184.80.221.105 AND 174.170.161.132. 192.168.1.1 is my Opnsense FW. Here is a Wireshark capture.



I don't have any DNS issues at all besides the one with servers.rmnoise.com.
Any ideas?
October 31, 2023, 03:41:13 PM #1
overrides on your dns server giving the answer (opn but dnsmasq, bind, unbound, etc.)
October 31, 2023, 03:56:42 PM #2
No overrides configured
October 31, 2023, 04:06:59 PM #3
dig is your friend but you probably want to look at the corresponding packet capture on the WAN interface.
This is what your OPN is giving back, but that would be what is either received from its configured upstreams, or overrides.
October 31, 2023, 04:27:25 PM #4
The FW gets the correct IP's

16:23:46.614491 IP 84-73-XXX-XXX.dclient.hispeed.ch.48804 > dns.google.domain: 61194+ [1au] A? servers.rmnoise.com. (48)
16:23:46.633358 IP dns.google.domain > 84-73-XXX-XXX.dclient.hispeed.ch.48804: 61194 2/0/1 A 174.170.161.132, A 184.80.221.105 (80)
October 31, 2023, 04:51:44 PM #5
In that case I assume that unbound gives you the wrong answers for some reason.

100.64.3.4 is from 100.64.0.0/10 that is used for CG/NAT and or DS-Lite.

Here is someone with a similar problem.

There are several possibilities:


  • Wireguard or other VPN with broken routing
  • Did you setup servers on you LAN and had their "final" hostnames already configured or are they really in your own LAN and building up a VPN to somewhere else?

In the latter case, note that DHCP registers the hostnames in unbound if so configured. You can look into this by finding the IP or the name in your OpnSense configuration like this:

Code Select

fgrep -r 100.64.3.4 /var/unbound/*.conf

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
October 31, 2023, 04:55:40 PM #6
Nope, wrong direction. Zenarmor was the problem. Zenarmor -> servers.rmnoise.com -> parked domain, returns 100.64.3.4. Now fixed
October 31, 2023, 05:15:21 PM #7
Oh well, you did not tell that you use it.

Zenarmor can do stranger things than that being a 3rd party extension. Consider disabling it first when you notice something strange/unexpected happens. Be careful with OpnSense updates as well - because often, Zenarmor breaks with these for a while.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
October 31, 2023, 05:26:39 PM #8
I don't want to hijack this thread, but I'm really curious why Zenarmor breaking and doing weird things after updates is still an issue today. I first tried it out when it was still called Sensei, had it on multiple firewalls, but after a few failed updates I've decided not to use it anymore.

I wonder if Zenarmor could be integrated more neatly since it's an official partnership. Maybe Zenarmor could hook into the actual "Check for Updates" when Zenarmor is installed, and block the ability to install an update until they verified it not breaking their integration. Their users would then get OPNsense Updates more slowly than the rest, but maybe it would at least minimize the risk?
Hardware:
DEC740
October 31, 2023, 05:37:21 PM #9
It has integrated a lot more in my opinion. I wouldn't call it does weird things but we are reminded if using it, that dns results like in this case that look odd, shoud cause to check or disable as meyergru says.
It seem to have a few false steps in the last couple of months I think with an update but otherwise seems fine.
That said, I'd like to have more than one policy on the free tier and improvements on live tracing but not complaining.
Print
Go Up Pages1
User actions