DNS failures after upgrade to 25.7 series - NOT solved as I thought

Started by pseudonym3k, August 02, 2025, 10:18:47 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 17, 2025, 11:06:24 AM #15
Without trying to downplay your experiences, there are thousands if not multiples of that using OPN with Unbound and without problem. Bugs are always a possibility however when there are like these here, they come to the configuration of either Unbound or how the network and their clients are setup to do name resolution.
@pftoon - if still required, please can you open your own thread, so it can be diagnosed in its own setup?
@pseudonym3k - if still a problem, we'll need to go to basics. I mean showing settings of multiple parts of OPN (like the ones on post #9), doing diagnostics from clients.
October 17, 2025, 05:06:44 PM #16 Last Edit: October 17, 2025, 05:29:35 PM by pseudonym3k
Quote from: cookiemonster on October 17, 2025, 11:06:24 AMif still a problem
As was mentioned, I haven't tried to enable Unbound again so I don't know if a problem still exists.
November 08, 2025, 04:32:25 AM #17
What browser are you using, if using firefox there are some changes in firefox that have to be made or firefox DNS will fight with unbound DNS. You should leave unbound enabled at default except check flush cache on reboot. Nothing to do there for a basic setup.put your dns servers in system>settings>general>dns. Just to the right of each one is a gateway drop down bubble. If it doesnt show A IPV4 gateway. Wait for a DHCP connection, then click the drop down bubble and it should be there. Have to attach a IPV4 gateway there. Its a bug I mentioned on the forum before. Then monitor your DNS, is it going where it should exactly. No deviations. Leave everything else about dns at default. If problems persist. Make sure you wipe the opnsense drive before a reinstall if you know how. It has a possibility of carrying data over to the new system. Wipe the RAM. If it still has wrong DNS then have to look at modem, and or operating system.
November 08, 2025, 08:14:15 AM #18
Thanks for your comments.

Quote from: someone on November 08, 2025, 04:32:25 AMWhat browser are you using, if using firefox there are some changes in firefox that have to be made or firefox DNS will fight with unbound DNS.
Multiple machines, multiple browsers, email clients, other programs that access the internet, multiple OS (Windows multiple versions, Ubuntu).

Quote from: someone on November 08, 2025, 04:32:25 AMYou should leave unbound enabled at default except check flush cache on reboot. Nothing to do there for a basic setup.put your dns servers in system>settings>general>dns.
I was informed that if DNS is configured in system->settings... instead of Unbound, then Unbound is not doing anything even if enabled. I didn't test that; I moved my DNS from Unbound to system->settings... and disabled Unbound. Then DNS started working normally.

Quote from: someone on November 08, 2025, 04:32:25 AMJust to the right of each one is a gateway drop down bubble. If it doesnt show A IPV4 gateway. Wait for a DHCP connection, then click the drop down bubble and it should be there. Have to attach a IPV4 gateway there. Its a bug I mentioned on the forum before.
None of those things went wrong for me, it was all there as it should be. Unbound DNS became flakier and flakier over varying periods of time until it stopped working completely. Clearing Unbound cache and reboot got it working again but only for short periods. Until I moved DNS and disabled Unbound, then all DNS problems stopped.

Quote from: someone on November 08, 2025, 04:32:25 AMMake sure you wipe the opnsense drive before a reinstall if you know how. It has a possibility of carrying data over to the new system. Wipe the RAM.
I will be using ZFS and I'm assuming it will completely format the disk (I've never used it). I suppose I'll find out when I get there.
December 23, 2025, 04:42:38 AM #19
Progress? Did you get it working. The things I mentioned effect DNS considerably.
December 23, 2025, 07:28:46 AM #20
I have not tried to enable Unbound again since for the most part things have been working without it. It hasn't been entirely stable but I haven't had time to figure out what or why (dealing with a sudden death in the family and other issues). Hopefully soon after the first of year I will find time to reformat with ZFS and try a fresh install with defaults as before, tweaking little else. Thanks for the followup.
December 29, 2025, 06:05:58 PM #21
Not wanting to take over this post. Here is my issues.

I was running OPNsense for about a year and had my hard drive crash and lost everything. My setup was simple as it could get. No VLANs or segmented networks. Just serving as a DHCP server and DNS server. I would create static IPs for various things on my network and a couple of firewall rules for reverse proxy.

I replaced my hard drive and was starting over and saw that ISC DHCPv4 wasn't default DHCP anymore. Reading on the forums and reddit I found that ISC is depreciated and recommendations are to use DNSmasq or KEA DHCP. Along with that it is recommended to use Unbound.

This is where my issues start. I noticed that my PCs sometimes can't resolve DNS. It is random but I know it is something with my OPNsense because if manually change DNS on my PC to a public DNS like 8.8.8.8 it works everytime.

I have no idea where to even troubleshoot. I know I can go back to ISC DHCPv4 but with it eventually going away I should use the recommended.
December 29, 2025, 07:57:48 PM #22
Since the 25.7 series, I have also noticed strange behavior where a few individual pages can no longer be accessed (ERR_CONNECTION_RESET), e.g., www.spiegel.de, or where I have to refresh the browser several times before other pages are displayed.

This happens with different browsers as well as on the LAN with Windows PCs and on the WLAN with Android.

I have already disabled all possible settings in Unbound (DNSSec, block lists, etc.) and tried different DNS servers for DoT, cleared the cache in the browser, cleared the DNS cache in Windows... but the pages still cannot be accessed. The block list tester also returns OK / PASS.

I can't make sense of the Unbound logs.
How could I further investigate the problem?

Kind regards
Torsten

December 29, 2025, 09:01:34 PM #23 Last Edit: December 29, 2025, 09:05:43 PM by pseudonym3k
Quote from: tokade on December 29, 2025, 07:57:48 PMSince the 25.7 series, I have also noticed
Quote from: ESClaus76 on December 29, 2025, 06:05:58 PMMy setup was simple as it could get.

I'm the OP, I'm still working on my issues, possibly related to both of yours, possibly just coincidence that I'm running smoothly right now, but I'll give you what I've got and let you try it out if you're willing.

I'm not saying this is best way to go, only that apparently it's working for me thus far and maybe you can get a stable setup too before moving on with more configuration.

1. If it isn't already, disable Unbound. Put your DNS server IP's in System -> Settings -> General.

2. I was having trouble with Health reports, I think something got corrupted in the upgrade. I went to Reporting -> Settings and reset/repaired everything, then rebooted. I had to do it a couple more times over a few weeks but reporting is working OK for now.

3. I've just moved from ISC to DNSmasq. I had DNSmasq in prior routers for years and liked it. This one is working for me too.
   - The first day was a little rocky as leases expired and got picked up by DNSMasq, but settled after that.   
   - Don't enable DNSMasq until everything is ready. Then, disable ISC and enable DNSMasq. Reboot and give it a day to settle out.
   - Leave the listen port at 53 (because unbound is disabled)
   - I followed this guide: https://homenetworkguy.com/how-to/migrate-from-isc-dhcp-to-dnsmasq-or-kea-dhcp-in-opnsense/  except for leaving the listen port at 53 and skipping all the unbound info. I also put the lease time to 0 on all my reserved IPs. I don't know if that's redundant but it is what I've done on all past DNSMasq routers I've had.

   NOTE: In ISC I had a small window of IPs available for dynamic IPs, and all the reserved IPs were defined outside of that range.
         In my past DNSMasq routers I always gave the full LAN range for DHCP and reserved IPs were scattered throughout - I did the same here. The above guide also mentions this. I honestly don't know if that's required, but it's what I've always done.

4. I found out I was getting dpinger problems with gateway monitoring. I think this was causing me some instability. Probably nothing to do with DNS issues exactly, but my internet kept going unstable and only pulling the power cable would fix it. I could probably just uncheck gateway monitoring (and may still try that).

But for now I changed the IP from what was already populated, to a hop in a tracert to any public IP. I chose the IP from the fourth hop as it responded quickly. It's still within my ISP. I am not sure how the one in OPNsense was populated, I don't recall putting anything there when I first set up and don't have any notes about it. Maybe I did it and just don't remember. In any case, using the fourth hop IP on the tracert is working well and I don't have any dpinger entries anymore.

Check your logs at System -> Gateways -> Log file and see if you have any dpinger warnings or errors expecially "exit on signal 15" which I think means it was killed and restarted. (?)  If you have warnings or errors, go to System -> Gateways -> Configuration and enter that fourth hop IP for monitoring. Or just try a reliable one like 1.1.1.1 or 8.8.8.8, something for your test that has a consistent fast response and solid uptime.


If you are willing to try the above and if your internet becomes stable after a day or two (and maybe a couple of reboots at intervals), then we might be able help shed some light on why the most basic near-default installs seem to have trouble with DNS.

Let us know?

Kind regards.

Print
Go Up Pages 1 2
User actions