Unbound, DNSSEC, and Resolution Weirdness

[Fright]

i think you can try
opnsense-patch 387fc59
and disable it via gui
or place aggressive-nsec no somewhere in /usr/local/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
and Apply unbound settings

[CJ]

i think you can try
opnsense-patch 387fc59
and disable it via gui
or place aggressive-nsec no somewhere in /usr/local/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
and Apply unbound settings

I'll see if I can give that a try this weekend.

[deajan]

I've also encountered multiple (and strange) resolve errors with unbound like the following:

```
2024-09-18T13:46:40   Error   unbound   [54445:2] error: SERVFAIL <somedomain.tld. A IN>: all servers for this domain failed, at zone somedomain.tld. upstream server timeout   
2024-09-18T13:43:36   Error   unbound   [17415:1] error: SERVFAIL <xx.xx.xx.xx.in-addr.arpa. PTR IN>: all servers for this domain failed, at zone 64.92.188.in-addr.arpa. no server to query no addresses for nameservers   
2024-09-18T13:43:36   Error   unbound   [17415:0] error: SERVFAIL <xx.xx.xx.xx.in-addr.arpa. PTR IN>: exceeded the maximum nameserver nxdomains   
2024-09-18T13:43:30   Error   unbound   [17415:3] error: SERVFAIL <xx.xx.xx.xx.in-addr.arpa. PTR IN>: exceeded the maximum nameserver nxdomains   
2024-09-18T13:33:04   Error   unbound   [17415:3] error: SERVFAIL <85.21.107.40.zen.spamhaus.org. A IN>: exceeded the maximum nameserver nxdomains   
2024-09-18T13:32:26   Error   unbound   [17415:2] error: SERVFAIL <somedomain.tld. A IN>: all servers for this domain failed, at zone somedomain.tld. from 194.0.34.53 no server to query nameserver addresses not usable
```

After reading alot of documentation, one guy said that ISPs may tamper with DNS.
In my setup, I've got 3 internet providers, so I configured Unbound to use WAN1 only, then WAN2 then WAN3.
While doing dns requests, I noticed that WAN1 provider tampered (probably) with DNS since both WAN2 and WAN3 produced good results, but WAN1 didn't.

Hopefully this might help some other people.

[deajan]

I've also encountered multiple (and strange) resolve errors with unbound like the following:

Code Select Expand


2024-09-18T13:46:40 Error unbound [54445:2] error: SERVFAIL <somedomain.tld. A IN>: all servers for this domain failed, at zone somedomain.tld. upstream server timeout
2024-09-18T13:43:36 Error unbound [17415:1] error: SERVFAIL <xx.xx.xx.xx.in-addr.arpa. PTR IN>: all servers for this domain failed, at zone 64.92.188.in-addr.arpa. no server to query no addresses for nameservers
2024-09-18T13:43:36 Error unbound [17415:0] error: SERVFAIL <xx.xx.xx.xx.in-addr.arpa. PTR IN>: exceeded the maximum nameserver nxdomains
2024-09-18T13:43:30 Error unbound [17415:3] error: SERVFAIL <xx.xx.xx.xx.in-addr.arpa. PTR IN>: exceeded the maximum nameserver nxdomains
2024-09-18T13:33:04 Error unbound [17415:3] error: SERVFAIL <85.21.107.40.zen.spamhaus.org. A IN>: exceeded the maximum nameserver nxdomains
2024-09-18T13:32:26 Error unbound [17415:2] error: SERVFAIL <somedomain.tld. A IN>: all servers for this domain failed, at zone somedomain.tld. from 194.0.34.53 no server to query nameserver addresses not usable


After reading alot of documentation, one guy said that ISPs may tamper with DNS.
In my setup, I've got 3 internet providers, so I configured Unbound to use WAN1 only, then WAN2 then WAN3.
While doing dns requests, I noticed that WAN1 provider tampered (probably) with DNS since both WAN2 and WAN3 produced good results, but WAN1 didn't.

Hopefully this might help some other people.

[igloo8552]

Turning off `Aggressive NSEC` under `Advanced` from GUI itself made resolution with Quad9 DoT perfect. No more resolution failures.