How to set unbound as ONLY resolver on OPNSense?

Started by maclovlin, December 09, 2023, 09:48:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 09, 2023, 09:48:44 AM
Hi,

i want to have Unbound as only DNS resolver on OPNSense.

have a fresh install on Sophos SG-105.

My Settings are:
- "System: Settings: General"
      Prefer IPv4 over IPv6 - On
      No DNS Servers
      Allow DNS server list to be overridden by DHCP/PPP on WAN - Off

Services: Unbound DNS: General
    default

No Forward DNS Server

My Problem is, no DNS resolution on LAN Interface with this Settings.

Calling drill with different DNS Server set, DNS working.

Any Idea?
December 09, 2023, 10:01:32 AM #1
If you don't allow recursion, you will only receive responses for DNS records that Unbound is authoritative for - i.e. local records. https://umbrella.cisco.com/blog/what-is-the-difference-between-authoritative-and-recursive-dns-nameservers

If you want to make sure all queries go through Unbound, configure the upstream resolvers you want it to use and create a firewall rule to deny 53 TCP and UDP from your LAN subnet.

Bart...
December 09, 2023, 10:58:15 AM #2
thanks for reply, but how to allow recursion?
December 09, 2023, 12:29:39 PM #3
Configure upstream DNS servers to recurse to: System: Settings: General, DNS servers
December 09, 2023, 12:43:06 PM #4
Oh, i see, but im trying to avoid this.

There is no other way?
December 09, 2023, 01:02:33 PM #5
I am not quite sure why Unbound will not permit recursive queries without a forwarder configured. Since I do not run Unbound I cannot promise that I will find the time to perform a test installation.

In the meantime you can of course run BIND. If you want to keep the DHCP-Unbound integration of OPNsense, continue to use Unbound for your clients, install the BIND plugin, configure e.g. BIND on 127.0.0.1:53530 as a forwarder for Unbound.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 09, 2023, 04:20:48 PM #6
OK, so I'll bite  ;) I have this lab system, anyway. Unbound only DNS service running. I changed

System > Settings > General
Service > Unbound > Query forwarding

See screenshots for details. Recursive queries from internal clients are resolved without using a forwarder and replies are sent.

I then activated various logging actions - see third screenshot, please. You can watch Unbound recurse on its own starting at the DNS root servers when I ask for e.g. staging.bsky.app starting with a clean cache:
Code Select
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10294"] [27811:0] info: 172.31.0.128 staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10295"] [27811:0] info: resolving staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10296"] [27811:0] info: response for staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10297"] [27811:0] info: reply from <.> 2001:dc3::35#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10298"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10299"] [27811:0] info: response for staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10300"] [27811:0] info: reply from <app.> 216.239.34.105#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10301"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10302"] [27811:0] info: resolving ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10303"] [27811:0] info: resolving ns-1425.awsdns-50.org. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10304"] [27811:0] info: resolving ns-1425.awsdns-50.org. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10305"] [27811:0] info: resolving ns-2001.awsdns-58.co.uk. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10306"] [27811:0] info: resolving ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10307"] [27811:0] info: resolving ns-757.awsdns-30.net. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10308"] [27811:0] info: response for ns-1425.awsdns-50.org. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10309"] [27811:0] info: reply from <org.> 199.249.112.1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10310"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10311"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10312"] [27811:0] info: reply from <uk.> 213.248.216.1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10313"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10314"] [27811:0] info: response for ns-757.awsdns-30.net. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10315"] [27811:0] info: reply from <net.> 2001:503:d414::30#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10316"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10317"] [27811:0] info: response for ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10318"] [27811:0] info: reply from <net.> 2001:503:d414::30#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10319"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10320"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10321"] [27811:0] info: reply from <uk.> 2401:fd80:404::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10322"] [27811:0] info: query response was REFERRAL
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10323"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10324"] [27811:0] info: reply from <awsdns-58.co.uk.> 205.251.197.253#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10325"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10326"] [27811:0] info: response for ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10327"] [27811:0] info: reply from <awsdns-30.net.> 205.251.197.94#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10328"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10329"] [27811:0] info: response for ns-757.awsdns-30.net. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10330"] [27811:0] info: reply from <awsdns-30.net.> 205.251.193.223#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10331"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10332"] [27811:0] info: response for ns-1425.awsdns-50.org. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10333"] [27811:0] info: reply from <awsdns-50.org.> 2600:9000:5302:f400::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10334"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10335"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10336"] [27811:0] info: reply from <awsdns-58.co.uk.> 2600:9000:5301:7a00::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10337"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10338"] [27811:0] info: response for ns-2001.awsdns-58.co.uk. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10339"] [27811:0] info: reply from <awsdns-58.co.uk.> 205.251.193.122#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10340"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10341"] [27811:0] info: response for ns-757.awsdns-30.net. AAAA IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10342"] [27811:0] info: reply from <awsdns-30.net.> 2600:9000:5301:df00::1#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10343"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10344"] [27811:0] info: response for staging.bsky.app. A IN
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10345"] [27811:0] info: reply from <bsky.app.> 205.251.194.245#53
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10346"] [27811:0] info: query response was ANSWER
<30>1 2023-12-09T16:15:16+01:00 opnsense.lab.hausen.com unbound 27811 - [meta sequenceId="10347"] [27811:0] info: 172.31.0.128 staging.bsky.app. A IN NOERROR 0.234521 0 93


So, recursive queries with Unbound do work as expected. No need to configure any forwarding DNS server.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 09, 2023, 04:54:08 PM #7
...was my impression, too, after reading this here

https://docs.pi-hole.net/guides/dns/unbound/
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 09, 2023, 08:22:45 PM #8
Now three and a half hours later returning to my desk, name resolution does not work. Unbound refuses to perform recursive queries.

WTH?  :o

I definitely don't have the time to debug this right now, as I wrote I am running BIND everywhere. I tested with the mentioned combination of Unbound and BIND and that seems to work as expected.

Something about the OPNsense specific Unbound configuration seems to be weird.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 16, 2023, 11:28:09 AM #9
Oh boy, got it now :-)

Unfortunately, changed too many factors as same Time, so i can't say what caused this behaviour.

Changes are:

    Replaced Fritzbox against Draytek Vigor 165 as Modem
    Disabled IPv6 on Lan and Wan Interfaces
    Disabled IPv6 Firewall Rule under "Firewall: Rules: LAN"
    Set "Prefer to use IPv4 even if IPv6 is available" under "System: Settings: General"

IMHO it was the Firewall Rule.

Thanks for Support.
December 16, 2023, 11:32:38 AM #10
Well, this works "out of the box" and definitely does not need any DNS servers configured for the system, or forwarders in Unbound

Firewall has logs, use them. Disabling IPv6 does not do any good, bad idea in general.
Print
Go Up Pages1
User actions