Unbound DNS not being utilized

Started by opnsense1, Today at 04:03:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 04:03:22 PM Last Edit: Today at 04:21:03 PM by opnsense1
Hello, it appears that my Unbound DNS is only being used by the router and not being used by my devices. Looking at `Reporting > Unbound DNS`, the top passed domains are:
1. 3.opnsense.pool.ntp.org. 
5248 (12.13%)

2. 1.opnsense.pool.ntp.org. 
5234 (12.10%)

3. 0.opnsense.pool.ntp.org. 
5225 (12.08%)

4. 3.opnsense.pool.ntp.org.localdomain. 
5221 (12.07%)

5. 2.opnsense.pool.ntp.org. 
5219 (12.06%)

6. 1.opnsense.pool.ntp.org.localdomain. 
5186 (11.99%)

7. 0.opnsense.pool.ntp.org.localdomain. 
5185 (11.98%)

8. 2.opnsense.pool.ntp.org.localdomain. 
5169 (11.95%)

9. forum.opnsense.org. 
465 (1.07%)

10. forum.opnsense.org.localdomain. 
457 (1.06%)

In System > Settings > General I have my upstream DNS server configured. Unbound is enabled. I do have a wireguard VPN setup in Opnsense - is there a special configuration I have to do to get that to use Unbound? All of my troubleshooting has changed nothing. Also my devices are getting the correct DNS server advertised to them - they show my opnsense IP address as the DNS server in network settings and `nslookup` returns `Server: 127.0.0.53  Address: 127.0.0.53#53` so the devices appear to be correctly configured, it is just Opnsense that is not utilizing Unbound correctly.

Edit: Forgot to mention, I made sure that `Allow DNS server list to be overridden by DHCP/PPP on WAN` and `Do not use the local DNS service as a nameserver for this system` are *not* enabled.
Today at 04:27:47 PM #1
Do you see query if you start one from the command line, with nslookup or dig?

Browser are often using DoH these days and are not using the DHCP provided DNS server and you would have to disable DoH in the browser. E.g. https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Deciso DEC740
Today at 04:58:27 PM #2 Last Edit: Today at 05:08:46 PM by opnsense1
Quote from: patient0 on Today at 04:27:47 PMDo you see query if you start one from the command line, with nslookup or dig?

Browser are often using DoH these days and are not using the DHCP provided DNS server and you would have to disable DoH in the browser. E.g. https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Thank you for the reply, I have DNS over HTTPS disabled in Firefox. Looking at the "Top 10 client activity over the last hour" graph and clicking on the few dots that show up, I think the only requests that are showing up here are ones that I performed under Interfaces: Diagnostics: DNS Lookup in the Opnsense web UI. Trying a few more nslookups, they do not appear to be going into this graph despite the response signaling what I thought meant it was correctly configured based on the server address returned:
```
nslookup proton.me
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    proton.me
Address: 185.70.42.45
```

So this would point to my devices not getting the correct DNS server? How do I correct that - on both my laptop and phone they are displaying the correct IP address for the DNS server under network settings and I also tried statically configuring them to use the DNS servers just in case, with no change.

Edit: I also recently tried going into VPN: WireGuard: Interfaces and enabling advanced settings so I could set the DNS server manually there to be my opnsense IP, with no change. (Made sure to disable Wireguard, apply changes, reenable Wireguard, apply changes after as I know this was recommended when I was setting the VPN up.) and I have also tried going into my external router's settings and changed the DNS setting from "ISP Default" (which I assumed in this case it would read from Opnsense correctly and preferred to leave it at this to prevent weird issues later if I forget that this was manually configured) to the local address as well. No change. And the fact that the devices are displaying the correct local IP address for their DNS server in network settings makes me less confident that this setting would have mattered anyways because as far as I can tell, they are correctly being configured unless it is being intercepted by something.
Today at 05:37:25 PM #3
Are you connecting the client to OPNsense using Wireguard or does OPNsense use WG to connect to the internet? What is operating system are you using?
Deciso DEC740
Today at 05:44:38 PM #4
Wireguard is setup through Opnsense to route all internet traffic through my VPN service. operating systems are android and linux.
Print
Go Up Pages1
User actions