DNS over TLS => no DNS resolving at all (with Unbound), why?

openminded · December 11, 2024, 06:25:03 PM

hello,

I'm currently using OPNsense 24.7.10_2 with Unbound. My opnsense router is behind another router. My problem is I cannot have DNS over TLS.

I have followed this how-to: https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/

When I configure DoT servers (first one is 1.1.1.1) in "Services: Unbound DNS: DNS over TLS" (with " Use System Nameservers" unchecked, and no DNS servers at all in "System: Settings: General"), I have no DNS resolution at all.

If I go to "Interfaces: Diagnostics: DNS Lookup" and check for example.com with 1.1.1.1 server, it's ok (A example.com. 2549 IN A 93.184.215.14 1.1.1.1 3 msec). With no specified DNS server I have an error message "Error: error sending query: No (valid) nameservers defined in the resolver". Which is not a surprise.

If I put DNS servers in "System: Settings: General", it's ok (I have DNS resolution) but in this case I have no DNS over TLS.

Could someone please help me debugging this ?

openminded · January 22, 2025, 05:37:33 PM

I reinstalled opnsense and followed same instructions.
At first, I had no DNS resolution, but after a few dozen minutes, it worked. I don't know why it took so long.

newsense · January 23, 2025, 02:49:15 AM

Any form of secure communication requires accurate time on the machine with a maximum of +-5 minutes deviation accepted.

Your description fits the case where the time on the device is off, and after a few minutes of waiting whenever NTPD or Chrony were able to sync the time DoT started working.

Whenever in doubt check the time with this command:

Code Select

date
And set the time with this command for YearMonthDayHoursMinutes.Seconds:

Code Select

date yyMMddHHmm.ss

charles.adams · January 28, 2025, 03:19:46 AM

Quote from: newsense on January 23, 2025, 02:49:15 AMAny form of secure communication requires accurate time on the machine with a maximum of +-5 minutes deviation accepted.

Your description fits the case where the time on the device is off, and after a few minutes of waiting whenever NTPD or Chrony were able to sync the time DoT started working.

Whenever in doubt check the time with this command:

Code Select Expand
date
And set the time with this command for YearMonthDayHoursMinutes.Seconds:

Code Select Expand
date yyMMddHHmm.ss

So I think I also have a time syncing issue and I wanted to find out where these commands should be entered to see if the time is off?

Should this be done in a local terminal via the serial port or is there a terminal access in the WebGUI that I'm missing?

EricPerl · January 28, 2025, 03:46:21 AM

The current date/time is actually displayed in the dashboard, in system information.

The commands are used in a physical terminal on a bare metal install, but virtualized installs offer a terminal too.
In either case, there's ssh access as well.

DNS over TLS => no DNS resolving at all (with Unbound), why?

openminded

December 11, 2024, 06:25:03 PM

openminded

January 22, 2025, 05:37:33 PM #1

newsense

January 23, 2025, 02:49:15 AM #2

charles.adams

January 28, 2025, 03:19:46 AM #3

EricPerl

January 28, 2025, 03:46:21 AM #4