Unbound strange behavior

Started by ricksense, December 04, 2025, 03:55:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 04, 2025, 03:55:50 PM
 Hi,

OPNsense 25.7.8 runs as a VM in my Proxmox machine. I ran across a strange behavior of Unbound: my hosts behind OPNsense still have internet access and get their DNS queries resolved by Unbound if I simply uses the browser, but if I ping a website, say, google.com in the prompt command it doesn't get resolved.

I saw the logs in Reporting: Unbound DNS, and noticed that the requests from the hosts got dropped:



 Could you please help understand why it happens and how to fix it?

Thanks
December 04, 2025, 04:41:04 PM #1
Probably local resolution fails entirely. You need to investigate the logfiles to find the cause of that SERVFAIL.

Your browsers continue to work because modern browsers implement their own methods of name resolution.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 04, 2025, 04:43:06 PM #2
Quote from: Patrick M. Hausen on December 04, 2025, 04:41:04 PMProbably local resolution fails entirely. You need to investigate the logfiles to find the cause of that SERVFAIL.

Your browsers continue to work because modern browsers implement their own methods of name resolution.

Yes, I found out that I can browser websites via Firefoxr because I had cloudflare DOT activatet on it.
But if I disabled it, I have the same problem. So, there is definitely something wrong with the DNS requests to Unbound.
But what exactly?

Thanks
December 04, 2025, 04:45:17 PM #3
As I wrote: investigate the cause of the SERVFAIL by looking at the log files.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 04, 2025, 04:50:00 PM #4
Quote from: Patrick M. Hausen on December 04, 2025, 04:45:17 PMAs I wrote: investigate the cause of the SERVFAIL by looking at the log files.

If I set "Use System Nameservers" in the Query Forwarding settings, it works but I don't think Unboud is working properly this way.
Thanks
December 04, 2025, 05:13:37 PM #5
Look at the Unbound log files for the cause of the SERVFAIL - how often do I need to repeat this?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 05, 2025, 01:49:43 PM #6
Quote from: Patrick M. Hausen on December 04, 2025, 05:13:37 PMLook at the Unbound log files for the cause of the SERVFAIL - how often do I need to repeat this?

I looked at both the Unbound log files and the firewall log. There is nothing meaningful. Even no log entries in the Unbound log files. The firewall lets queries PASS.

Thanks
December 05, 2025, 01:57:42 PM #7
Then probably enable:

Services > Unbound DNS > Advanced > Log SERVFAIL
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 05, 2025, 02:41:15 PM #8
Quote from: Patrick M. Hausen on December 05, 2025, 01:57:42 PMThen probably enable:

Services > Unbound DNS > Advanced > Log SERVFAIL

Ok, I can see something as I ran a query:
Quote from: Patrick M. Hausen on December 05, 2025, 01:57:42 PMThen probably enable:

Services > Unbound DNS > Advanced > Log SERVFAIL

Ok, I started seeing something as I ran a query:



Thanks



December 06, 2025, 10:27:44 AM #9
I realized that Unbound, in this scenario (without checking the "use name server" button), works intermittently and unpredictably.
December 06, 2025, 11:57:37 AM #10
In general it doesn't. I run it at multiple offices and an entire data centre with that setting and no problems at all.

Something about your configuration must be unusual. Still pondering what that might be. Did you change the interfaces setting for Unbound, possibly? Something in private networks?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 06, 2025, 02:00:53 PM #11
Quote from: Patrick M. Hausen on December 06, 2025, 11:57:37 AMIn general it doesn't. I run it at multiple offices and an entire data centre with that setting and no problems at all.

Something about your configuration must be unusual. Still pondering what that might be. Did you change the interfaces setting for Unbound, possibly? Something in private networks?

I read about another user on Reddit who is dealing with the same issue as mine. Anyway, I've never complained about OPNsense, but I have already run across a couple of problems with the last version.
December 07, 2025, 09:25:44 AM #12
The release notes for 25.7.8 have an important note:

https://forum.opnsense.org/index.php?topic=49869.0

QuoteThe Unbound blocklists feature formerly known as a business feature is
now a community feature.  Since this required merging both the existing
community one with the business one you need to make sure to reapply the
blocklist settings after the reboot since it will not generate a new and
possibly incompatible format.  Make sure to check your automatically
migrated settings while at it.

Maybe this is it?
December 07, 2025, 04:08:02 PM #13
Quote from: OPNenthu on December 07, 2025, 09:25:44 AMThe release notes for 25.7.8 have an important note:

https://forum.opnsense.org/index.php?topic=49869.0

QuoteThe Unbound blocklists feature formerly known as a business feature is
now a community feature.  Since this required merging both the existing
community one with the business one you need to make sure to reapply the
blocklist settings after the reboot since it will not generate a new and
possibly incompatible format.  Make sure to check your automatically
migrated settings while at it.

Maybe this is it?

My blocklist is disabled at the moment, if I got what you mean.
Thanks
Print
Go Up Pages1
User actions