DNS Unbound Issue

Started by Gizmo, August 30, 2025, 12:52:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 30, 2025, 12:52:56 PM Last Edit: August 30, 2025, 11:08:40 PM by Gizmo
Hi all,

I have a strange issue where my private network has no internet, yet IOT, Guest and Smart TV do.

My issue happened when I took steps to force to use unbound as a local resolver instead of quad9. I have DNS over TLS setup for quad9.

Current status
Opnsense Version: 25.7.2
KEA DHCP IPV4
IOT = No issues, works fine
Guest = No issues, works fine
Private = No internet and tests show NXDOMAIN

I suspect it's a DNS issue. Im not sure about the best way to approach this. Currently I have a floating rule to govern traffic through unbound. Unsure if this is best approach.

Floating Rule:
IPV4 > TCP/UDP
Source: any
Port: any
Destination: !This Firewall
Port 53 (DNS)
Gateway: any
Interfaces: LAN, Guest, IOT, Private

My IOT has the same rule set as private except for the web ports (For GUI access via private network)


IOT + Private > Wireguard VPN tunnel
Guest > WAN
Smart TV > Nord VPN DNS

Checks I've done:
Interface added to Unbound
NAT rule using alias combining IOT+Private
WG peer allows any IP
Subnet added to Kea DHCP

Topology:
Opnsense FW > Omada Managed Switch > WAPS
August 31, 2025, 10:23:58 PM #1
What exactly do you get, when you do a DNS lookup on private network device?

To ensure all the DNS requests go to Unbound, it's best practice to redirect all DNS request which are not going to "This firewall".
Ensure that Unbound is listening also on localhost and redirect DNS traffic to 127.0.0.1.
September 01, 2025, 12:11:37 AM #2
Hi thanks for reaching out.

When you say "Ensure unbound is listening on local host" What does this mean explicitly? Current interfaces unbound listens to are:
LAN, Private, IOT, Guest, WG Tunnel

OK here are the the results from two NSLOOKUP tests

Not forcing through Unbound DNS
nslookup google.com 9.9.9.9
Server:      9.9.9.9
Address:   9.9.9.9#53

Non-authoritative answer:
Name:   google.com

Forcing through Unbound DNS
nslookup google.com 10.0.80.1
Server:      10.0.80.1
Address:   10.0.80.1#53

** server can't find google.com: NXDOMAIN

The floating rule has the ! to invert the sense, assuming that meets the criteria for everything but the firewall. My big question is should this redirect be via floating rules or perhaps a NAT port forward? I have seen dialogue for either way.

In the weekend I attempted to create a Private Network 2.0, new interface, new VLAN, new SSID etc - No internet connection, same as the original Private network.

Hope this helps, let me know if you require any other information.

Much appreciated.
September 01, 2025, 11:41:41 AM #3
Quote from: Gizmo on September 01, 2025, 12:11:37 AMWhen you say "Ensure unbound is listening on local host" What does this mean explicitly? Current interfaces unbound listens to are:
LAN, Private, IOT, Guest, WG Tunnel
I see, there is no "localhost" available in the listening interfaces list. Mine is listening on "All", so localhost is included as well.

Quote from: Gizmo on September 01, 2025, 12:11:37 AMForcing through Unbound DNS
nslookup google.com 10.0.80.1
Server:      10.0.80.1
Address:  10.0.80.1#53

** server can't find google.com: NXDOMAIN
And you get this only in one network segment or maybe only on certain clients?

If you have enabled DNSSEC, try to disable it.

Quote from: Gizmo on September 01, 2025, 12:11:37 AMMy big question is should this redirect be via floating rules or perhaps a NAT port forward? I have seen dialogue for either way.
Redirecting must be done by a NAT port forwarding rule. But this only ensures, that all DNS requests go to the local server and might not solve your issue.

September 02, 2025, 12:57:38 AM #4
Quote from: viragomann on September 01, 2025, 11:41:41 AMMine is listening on "All", so localhost is included as well.

Which is the recommended setting for a reason. There is rarely a requirement to limit listen interfaces of any service. Just keep the default.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 12:49:45 PM #5
Hi,

Thanks for the suggestions, I have implemented, here are the outcomes:

In summary, still no internet via private network. Let me know any additional information need to trouble shoot.

1) Changed listen interfaces on unbound to all
2) Added NAT port forward rule to !Private_net to port 53 and removed private network from existing floating rule performing similar function.
3) Disabled DNSSEC

I carried out the same nslookup on my functioning IOT network, same result as the private network.
nslookup google.com 10.0.60.1
Server:      10.0.60.1
Address:   10.0.60.1#53

** server can't find google.com: NXDOMAIN

VS performing same test, on IOT to 9.9.9.9

nslookup google.com 9.9.9.9
Server:      9.9.9.9
Address:   9.9.9.9#53

Non-authoritative answer:
Name:   google.com
Address: 142.250.203.174

Print
Go Up Pages1
User actions