Update to OPNsense 24.7.8 broke DNS using unbound with DNSSEC enabled

Started by iamaven, November 17, 2024, 12:03:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 17, 2024, 12:03:21 AM
Putting this out there in case anyone else has issues.

I updated to 24.7.8 today and after doing so noticed DNS resolution was failing intermittently. I have local domain requests forward to my domain controller and those worked fine.

Any request that required forwarding was not going to my pihole server, however I could manually query pihole for DNS just fine.

When I enabled some DNS over TLS servers I previously had enabled in the past for testing, DNs queries were forwarded for external addresses, but not to pihole, instead to those configured DNS over TLS servers, which would be expected.

I had to disable "Enable DNSSEC Support" in the unbound configuration as well as disabling the DNS over TLS servers I have configured in order for DNS traffic to be directed to my pihole instance.
November 17, 2024, 07:42:12 AM #1
nice i like this post
Khám Phá 77WIN: Nền Tảng Cá Cược Trực Tuyến Hàng Đầu.
https://30799.org/
November 17, 2024, 03:21:50 PM #2
I'm not sure, but from your explanation, it almost seems you are describing an issue with pihole's DNSSEC support, rather than an issue with opnsense. Does DNSSEC work when you forward to (say) QUAD9?
Deciso DEC Device

It's about learning to dance in the rain
November 17, 2024, 03:34:28 PM #3
I've always disabled dnssec when using forwarding to TLS. its even suggested for it here: https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/

why it is not for opnsense I do not know on that same page
November 17, 2024, 05:01:20 PM #4 Last Edit: November 17, 2024, 05:09:21 PM by n6vmo
I wish I saw this post before I updated. Now my two PiHole servers do not block ads.

I am very new to Opnsense and would like to get back to having this work.
Any detailed help would be appreciated.

I looked into reverting backa version but opnsense-revert -l does not list anything I can revert to...

Very frustrating....
November 17, 2024, 07:59:16 PM #5
You're absolutely right about QUAD9 suggesting opnsense disable DNSSEC support, I stand corrected. I do wonder that the pihole/opnsense interaction suffers from the same issue?
Personally, I do not use DNS forwarding or pihole for DNS blacklisting, but use Unbound as the recursive resolver and host for the DNS blacklists. Would this not work for your setup as well?
Deciso DEC Device

It's about learning to dance in the rain
Print
Go Up Pages1
User actions