Either Unbound or the latest patch (23.7.xxxx) broke my connection

[lar.hed]

Since link down/up seem to resolved itself somehow I decided to return to my Unbound issue.

After disable of DNSmasq, and enable Unbound - no name resulotion on any device. Did for the sake of testing a reboot of OPNsense h/w. No difference. Disabled Unbound, turned on DNSmasq - everything works like a charm. Go figure.

[Patrick M. Hausen]

tcpdump of the request and reply packets while the regular DNS debug tools like dig, drill, nslookup ... would be helpful. Also the output of netstat -a etc.

[lar.hed]

I might be able to get them tomorrow. However, be assured that browsing on IP address intranet and internet (1.1.1.1) work perfect. Name resolution does not - and it is firewall wide, no unit has name resolution no matter what segment or VLAN for that matter.

[Patrick M. Hausen]

You need to check which addresses have an active socket on port 53 and which packets flow where. I am not aware of any other technique to debug this.

[lar.hed]

Patrick, very large thanks for your help and suggestion. For the moment I will put this on hold, and rebuild my firewall from scratch. This is more of a ProxMox thing now - I will install ProxMox to get the ability to more easily revert back to previous version with snapshot and stuff like that - and when OPNsense is installed back ontop of ProxMox of course, I will start hunting whatever is giving me challenges. However as I rebuild with ProxMox alot of stuff will change, as interface port assignments - so there will not be any way for me to restore my config file....

However, I will store my old config just-in-case I decide to revert back to bare metal again. Better safe than sorry (and after all, I just did re-install of OPNsense bare metal....).

[Tschabadu]

I want to give some update about my issue as I am facing the same issue with unbound dns stopping to work randomly.

I freshly installed OPNsense 23.7 from scratch and did a configuration restore via backup restore process, after that I upgraded again to the latest Version 23.7.8. After that I switched back from Dnsmasq to Unbound DNS with DoT and DNSSEC enabled.

After aprox. 5min DNS stopped working again and after various restarts and switching from Dnsmasq and Unbound back and forth, always after some short random time DNS stopped working on Unbound DNS again.

After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.

This setup is now stable for at least 24 hours!

As a side note, before fresh install, when I was troubleshooting the issue, I can remember that I got SERVFAILS when checking with tcpdump eg.

Code: [Select]

tcpdump -v -i igb0 dst port 53  # LAN showing SERVFAILS, when DNS stopped working
tcpdump -v -i igb1 dst port 853  # WAN when DoT enabled


P.S: I have a PC-Engines APU4 Board.

P.P.S: I did a health check of the system, I did even try a check unbound config based on https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#testing-the-setup. All checks good and logs do not seem to indicate an issue, which makes this thing hard to troubleshoot.

[Tschabadu]

Running now 7/24 without interruption.

[lar.hed]

Still without DNSSEC and DoT?

[Tschabadu]

Yes without having these set, which leads me to believe that the problem lies there. But that's just my personal amateur opinion. If I find time, which is rare these days, I will investigate further.

[Tschabadu]

Its also worth noting, that a new OPNsense Release 23.7.9 is out now with a new Unbound Version 1.18.0 -> 1.19.0, with some bugfixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 however not finding anything related to DoT or DNSSEC in the bugs section, but I also do not know the library itself and its code, so I will give it a try and check if it will work again with DoT and DNSSEC enabled.

[Kinerg]

After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.

This setup is now stable for at least 24 hours!

Can you try disabling DNSSEC while using DoT? It should be disabled as your DoT/DoH server is the one ensuring DNSSEC anyway.

[Tschabadu]

Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls.

[CJ]

I'm using Quad9 DoT without DNSSEC with no problems, but I'm still on 23.7.6.  May give that an update today.

[Kinerg]

Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls.

I've had issues with Quad9 DoT and DNSSEC, too. They explicitly say to disable it in their Pfsense guide:
https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/

Not sure why it's not mentioned for Opnsense.

[lar.hed]

I just had a look into my settings for Unbound / DoT / DNSSEC - and sure enough I use Quad and Cloudflare, two IPs from each. Now I use 4 Custom Forward, since I got into problems with only Quad active. So I used all four of them - but I guess the Quad IPs are never used since they are last in the list.

That being said, I will later today when I am alone on the network (trying to be nice here....) re-enable Unbound, but without DNSSEC. And see what happens.

And I also wonder which DoT servers one should use nowadays...
Is Googles the only ones that work?