DNS question: How to use DNS other than the one the ISP specifies in its DHCP?

[comet]

The problem is simple, the ISP's DNS sucks.  Quite often it will simply stop resolving certain addresses for a few hours, for no specific reason.

As a workaround, for now I'd like to use Google's DNS servers.  I see that under System: Settings: General, under "DNS servers" there is a place where you can specify up to five DNS servers, but I'm not quite clear on how that's used.  There is a dropdown next to each DNS server field under "Use gateway" and the choices are "NONE" or "WAN_DHCP - wan - (wan IP address)" - which should I use?

Then at the bottom there are two options, "Allow DNS server list to be overridden by DHCP/PPP on WAN" which is currently checked, and "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" which is currently not checked - would I need to change either of those?

And also, by default when I set this up, under Services: Unbound DNS: General, "Enable DNS Resolver" is checked, and the only other thing checked on that page is "Enable DNSSEC Support" (I honestly don't remember if that was checked by default, or if I checked it for some reason).  Other that that all the Unbound DNS settings are the defaults, except that under Services: Unbound DNS: Access Lists it shows the local network and says "From General settings" but I have no idea where that is coming from.  If you click the pencil in that section it takes you back to Services: Unbound DNS: General but still I see nothing there about Access Lists.  But putting all that aside for a moment, is there anything at all that would need to be changed in the Unbound DNS settings so that I could use Google's DNS rather than my ISP's?

I'm not trying to do anything fancy here at the moment, just substitute Google's DNS service for the one my ISP (actually my cable modem) hands out via DHCP.  Seems like it should be simple, but I have searched and searched and I can't find a page that explains how to do this simple task correctly.

[Oxygen61]

The problem with any ISP DNS is the interception/redirection/hijacking of your DNS queries.
Google DNS is "ok" but not the best solution if you really want performance and high availability for your DNS-Client queries.

I will rephrase your question so that it works the best for you Sorry, not sorry.

How do i configure DNS Unbound to use the local Unbound cache and ask root-DNS-Servers only, while at the same time make sure the queries send out to these servers, are all legit and can be trusted using DNSSEC?

Glad you asked.

--> Services: Unbound DNS: General
1. make sure it's enabled (obviously...)
2. [X] Enable DNSSEC Support
3. [ ] Enable Forwarding Mode <-- Do NOT activate this box or Unbound will start forwarding all DNS Traffic to the upstream DNS-Servers configured in [System: Settings: General] and you do not want this to happen.
4. [X] Register DHCP leases in the DNS Resolver <--- makes sure that you can lookup your local hosts
5. [X] Register DHCP static mappings in the DNS Resolver <--- makes sure that you can lookup your local hosts
6. You can change the advanced settings if you want to harden DNSSEC, but sometimes it breaks the lookup, so trial and error these settings if you feel like it and leave ALL other options on default settings.

--> System: Settings: General
1. DNS servers <-- these Servers you put in here are not used, aslong as Unbound is not working in Forwarding Mode, so just leave it as default, since we are using the "Resolver" Option for Unbound. Just for the record, if you are not doing any Multi-WAN fancy stuff, just for your own sanity leave "use gateway" on "none". In our Unbound Resolving configuration they are not used anyway.
2. [ ] Allow DNS server list to be overridden by DHCP/PPP on WAN <-- no tick, because you don't want your ISP to override any configuration you do on your OPNsense.
3. [ ] Do not use the DNS Forwarder/Resolver as a DNS server for the firewall <-- this should not be ticked, so that OPNsense is able to use it's local cache for lookups.

Thats it. I may overlooked something, but thats it for unbound on OPNsense.
Additionally the only Firewall Rule you need is the one that allows LAN Clients to reach OPNsense on Port 53 in there specific subnet. That should be it for DNS.

Have fun.

Best regards,
Oxy

How Unbound works: https://calomel.org/unbound_dns.html

[EDIT]

@[Services: Unbound DNS: Access Lists] All the internal configured ACL's are automatically configured for all the Subnets/Interfaces, unbound is configured to listen to under
[Services: Unbound DNS: General] ---> "Network Interfaces".

Quick note here: If you are not planning on using DNSmasq[Forwarder] and Unbound[Resolver] at the SAME time, you probably should leave this setting on "All". Otherwise you may end up with Interfaces/subnets not being able to send DNS lookup queries to your Firewall.

[comet]

What the... did you even read what I wrote? I was trying to find the easiest way possible to use Google's DNS, and I have no idea what you're trying to tell me how to do, but I don't even see where you'd put Google's IP addresses.

And even if I just blindly followed your directions (and I don't see how they could possibly work without specifying Google's DNS addresses), I don't at all understand your edit - is that all just supposed to be information, or is that some extra step? (EDIT: Never mind, I get now that you were trying to answer my question about the access lists.  I was so thrown by what you had written before that, that I didn't make the connection at first.  Although I still don't get your "Quick note here" - right now under Services: Unbound DNS: General the "Network Interfaces" dropdown is set to "All" but now I am wondering if it should be set to LAN and Localhost only - why on earth would you want to provide DNS on the WAN side?).

I have a feeling like I asked someone how to get to Pittsburgh and they told me how to bake a cake!

I would really, really appreciate it if someone could answer the question I actually asked.  Bonus points if you can explain to me in plain English what Oxygen61 is trying to get me to do, and exactly why I should be doing that, or at least what I am missing here (such as where do you put the DNS server addresses, given his point #1 in the second section says "these Servers you put in here are not used" ...).

[douglasg14b]

Great reply Oxygen, some helpful information here.

@Comet, he did answer your question. It's just that the answer for your question requires a few assumptions to be made, and is more nuanced than "just click that one checkbox".

[comet]

@Comet, he did answer your question. It's just that the answer for your question requires a few assumptions to be made, and is more nuanced than "just click that one checkbox".

Why?

In most routers, if you want to specify a DNS other than your ISP's, you simply enter the address(es) in boxes such as the "DNS servers" boxes under System: Settings: General, and that would be all you'd need to do.  But for some reason, not much seems to be simple in OPNsense.  I was really hoping that in this case I might be pleasantly surprised and that it would turn out to be really easy, but you seem to be suggesting that it's so complicated that you can't even easily explain it.

I honestly don't know what assumptions you think would make a difference, but let me see if I can explain this.  I built a router using OPNsense to replace an off-the-shelf Asus router.  The Asus router did everything I wanted but they did not keep up with firmware updates, so after you've had the router for a while they'd stop supporting it with new firmware and then you'd start accumulating unpatched security vulnerabilities.  That was also true of alternative firmware (such as AsusWRT). The thing that I found attractive about OPNsense is that the software is regularly updated, and typically includes the latest security fixes, and also that it will run on better hardware than you find in a typical home router.  What I did not really expect was that things that would be easy on an off-the-shelf router would suddenly become more complicated under OPNsesnse.  For example, I had a lot of trouble getting port forwarding to work until I found out about static ports.  In a normal off-the-shelf router, that is not something you'd ever run into.

And also you should know that this is a residential router, not being used in a business and definitely not being used as a web server or anything of that nature. At one point I had thought maybe we might try using some of the advanced features of OPNsense (such as intrusion detection) but I quickly realized that setting up things like that required far more knowledge of networking than I will ever have, and that it's not something I really need anyway precisely because I'm not running a web server or any type of business here.  Unfortunately what I have come to figure out is that OPNsense really isn't intended for people like me, but since I have already invested in the hardware and since I have already got it mostly running the way I want, I kind of feel like I should stick with it.  But every now and then I find that I need to ask how to do something, and the greatest frustration I have with OPNsesne is that I can never seem to get simple answers to what in my mind should be simple questions.  And I suspect part of the reason for that is the underlying assumption that no home user (particularly one who knows next to nothing about networking) would ever install OPNsesne.  So when I ask a question, I get answers that (I think) assume that I have corporate servers on my network, or that I have a degree in networking or else I wouldn't be working at the type of company that would be using OPNsesnse.  But none of that is true in my case, I'm just a home user trying to emulate certain features common to off-the-shelf routers, in this case the ability to use DNS server(s) other than my ISP's DNS server.

So I get really frustrated when I ask a question and the response not only doesn't answer the question I asked, but launches into a discussion that seems fairly irrelevant.  I have no doubt that replies like Oxygen61's are helpful to some people, but since I don't even understand what he's trying to get me to do (only that it doesn't seem to answer the question I asked), it's not really helpful to me.  Maybe there is some reason I should try following his instructions, but without understanding what his end goal is (his goal doesn't appear to be using Google's DNS, which is what I'd asked about), I have no idea why I'd want to do that.

This is also the problem I find with OPNsense documentation - it tends to explain how to do a lot of very specialized and complicated things, but it skips right over the "normal" stuff that would be of the greatest help to a non-advanced user that's simply trying to replace their off-the-shelf router with something a little bit better.

[Maurice]

Not sure whether OPNsense is right for you, but it seems you came to the same conclusion.

But here you go:

I see that under System: Settings: General, under "DNS servers" there is a place where you can specify up to five DNS servers, but I'm not quite clear on how that's used.

Enter the Google DNS servers here.

There is a dropdown next to each DNS server field under "Use gateway" and the choices are "NONE" or "WAN_DHCP - wan - (wan IP address)" - which should I use?

Doesn't matter, you can leave the default. This is only relevant if you have a more complex network setup (multiple Internet connections, internal DNS servers etc.).

Then at the bottom there are two options, "Allow DNS server list to be overridden by DHCP/PPP on WAN" which is currently checked

Uncheck this. If checked, this will replace the Google DNS servers with your ISP's DNS servers. Which is what you don't want.

and "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" which is currently not checked

Check this. This makes OPNsense itself use Google DNS instead of its own DNS resolver (unbound).

And also, by default when I set this up, under Services: Unbound DNS: General, "Enable DNS Resolver" is checked

Uncheck this. This will disable unbound completely and Google's DNS servers will be assigned to your clients.
When it's disabled, all other unbound settings don't matter.

[comet]

Maurice, thank you very much.  This is exactly the type of reply I was hoping for in the first place.  I really appreciate it!

[Oxygen61]

Uncheck this. This will disable unbound completely and Google's DNS servers will be assigned to your clients.
When it's disabled, all other unbound settings don't matter.

If DNSmasq AND Unbound are disabled, who is going to do the forwarding to the Google DNS?

You will need to keep Unbound enabled but with this option checked:
[X] Enable Forwarding Mode
This will tell Unbound to not use the resolver "feature" but instead use the Google DNS Server configured in
[System: Settings: General] aka forwarding all requests to Google. That's why it is called "Forwarding mode".
The rest was correct @Maurice

@comet i don't feel like you really want to learn something new so i will not explain or go further into detail about the steps, since it won't matter for you anyway. Besides that you should really learn the difference between "Resolving" and "Forwarding" when talking about DNS.

@douglasg14b Thanks alot. These steps will lead to a functioning and trusted DNS configuration using the root-DNS-Servers: https://www.iana.org/domains/root/servers
Unbound is really powerful this way.

[Maurice]

If DNSmasq AND Unbound are disabled, who is going to do the forwarding to the Google DNS?

There won't be any forwarding because it's not required. If dnsmasq and unbound are disabled, the DHCP server assigns the DNS servers configured on the General page to the clients. So the clients query the Google DNS servers directly. In this scenario OPNsense is not involved in DNS at all.

[Ciprian]

@everyone but comet: don't get in an argue with comet!!! (!)

Just answer his question(s), don't assume, don't ask, don't explain!
Just! Answer! His! Questions!

Why?

The answer lies within his history of posts, topics and answers here, on this forum. If you care to check his profile, you will see comet expects nothing more then ”key, bull-eyed answers”, or else will get into an aggressive arguing; at least three quarters of his history is a continuous arguing.

[phoenix]

If DNSmasq AND Unbound are disabled, who is going to do the forwarding to the Google DNS?

There won't be any forwarding because it's not required. If dnsmasq and unbound are disabled, the DHCP server assigns the DNS servers configured on the General page to the clients. So the clients query the Google DNS servers directly. In this scenario OPNsense is not involved in DNS at all.

That assumes there's no LAN PCs/Servers that don't need DNS resolution, if it's required then a LAN DNS server is needed or have I missed something obvious?

@everyone but comet: don't get in an argue with comet!!! (!)

Just answer his question(s), don't assume, don't ask, don't explain!
Just! Answer! His! Questions!

Why?

The answer lies within his history of posts, topics and answers here, on this forum. If you care to check his profile, you will see comet expects nothing more then ”key, bull-eyed answers”, or else will get into an aggressive arguing; at least three quarters of his history is a continuous arguing.

It's a pity that he didn't phrase his (many) replies on more temperate language instead of being argumentative and patronising to those trying to help him. I stopped reading his posts a while ago.

[comet]

Well I'm surprised that this forum allows that sort of personal attack, but please allow me to respond.  I do not come here looking for an argument.  If I ask a question, it's because I'm new to this and I don't know how to do something.  Now, if I were using an off-the-shelf router and I were in a forum for such a router, and I asked what should be a simple question, they would most likely just answer the question.  If there was some quirk in that router's firmware that make it different from other routers, someone would probably explain that, or point me to a page that explains it.  But for some odd reason, in this forum it seems really difficult to get a simple answer to a simple question.  Either the answer itself is more complicated than it should be, or someone tries to answer the question you didn't ask but that they thought you should have asked (without ever explaining why), or in some cases you just don't get an answer at all.

I partly blame the design of OPNsense coupled with the lack of adequate help, either on the OPNsense settings page itself or in the Wiki.  I also think the Wiki pages that do exist ofter cover "edge cases" and not the most common situations.  I suspect this is partly because so many OPNsense users were originally PFsense users and they learned how to do this stuff in that software, but nowadays so many things are different in OPNsesnse from PFsense that their help pages and videos often don't show what you see in OPNsense.  But as it stands, OPNsense is not a beginner-friendly piece of software, at least not for those whose total previous experience with routers and networking is with the type of routers you can buy at a big box store.  Maybe everyone else that uses OPNsense has taken advanced networking classes, but I haven't.  Maybe most OPNsense users are using it in a corporate or business situation, but I'm not.  And nowhere on the OPNsense pages does it say that OPNsense is only intended for use by advanced users, though sometimes I get that sense in this forum.

The other problem is that this forum suffers the affliction of many Linux forums, in that certain advanced or long-time users seem to assume that when you ask a question you are really wanting to learn some esoteric concept rather than just get your question answered.  This almost never happens in Windows or Mac forums - if you ask a question there, usually people are helpful and will try to answer your question to the best of their ability.  But for some reason, in many Linux forums, people make the mistake of thinking that all Linux USERS also aspire to someday be Linux gurus.  They see Linux not as just an operating system, like Windows or MacOS, but also as something that people should try to study and learn, and some of those guys are also very bad at giving simple answers to straightforward questions.  If you have ever asked a question in a Linux forum and got a dismissive answer that made no sense from one of those guys, you know what I'm talking about.

What I would prefer is that this forum would work like most help forums, at least in the Windows and Mac world, where when you ask a simple question, you get a simple answer, and if there is no simple answer then at least someone would take the time to explain why.  I also wish that the help text on OPNsense pages were better (for example, when you go to set up port forwarding, it perhaps should tell you somewhere on the page that you may also need to set a static port for it to work, and point you to a page that explains how to do that).  Honestly, OPNsense is a great program, but I think that as it is now it assumes way too much in the way of prior knowledge on the part of users (particularly users with no prior experience with PFsense or any similar software).

I'm sorry if you consider my responses argumentative, but I really do get frustrated sometimes by how difficult it can be to just get a simple answer to a simple question, and by the fact that much of what you've learned from working with off-the-shelf routers just doesn't fully apply in OPNsense.  I knew there would be somewhat of a learning curve, I just didn't expect even some of the simple stuff to be so complicated.

And yeah, if I feel someone is talking down to me just to show how intelligent they are, and deliberately giving an answer that they know there is no hope I will comprehend, I am not going to respond well to that.  I am human, after all.

[phoenix]

You were given a perfectly satisfactory reply to your initial question, why do you think that anyone answering your question knows your skill level? Your answer to the initial reply could have been phrased a bit more politely and brief, you might then have got the answer you wanted. Your replies are argumentative, you attack or patronise someone that tries to help you then complain that your under 'personal attack', you need to chill out and be a bit more pleasant to those trying to help you otherwise yopu will alienate more people on these forums. If you decide to write another one of your essays in response to this post then I, for one, will not be reading or answering it.

[comet]

You were given a perfectly satisfactory reply to your initial question

NO, I really wasn't, and I don't know why you are saying that.  He answered the question he wanted to answer, which was NOT the question I asked, and he never even explained what his answer would accomplish.  And then, when he found out that I didn't have the foggiest clue as to what he was trying to do, rather than explain he simply hand-waved me away by claiming I don't want to learn.  So what did that accomplish?

Your answer to the initial reply could have been phrased a bit more politely and brief, you might then have got the answer you wanted.

Brief is not my style.  Never has been, never will be.  I think I'm genetically incapable of being brief.  As for polite, however, I very much felt like I was being talked down to in a condescending way, yet still I tried to respond by explaining what was wrong with the answer, and not attacking the person.

Your replies are argumentative, you attack or patronise someone that tries to help you then complain that your under 'personal attack', you need to chill out and be a bit more pleasant to those trying to help you otherwise yopu will alienate more people on these forums.

So, when someone is talking down to me and now in more recent messages personally attacking me, I should be a bit more pleasant?  Wow...

If you decide to write another one of your essays in response to this post then I, for one, will not be reading or answering it.

That's perfectly fine by me, you have never helped me with anything anyway.  All you have done is criticize me and my writing style, and if that's all you can do, I'd prefer you avoid reading my posts.

[comet]

I am stepping away from this thread and will not be posting anything further.  I apologize to those who did not attack me that it went the direction it did, however I just want to clarify one point.  This is what I found a little off-putting about Oxygen61's initial response:

I will rephrase your question so that it works the best for you Sorry, not sorry.

How do i configure DNS Unbound to use the local Unbound cache and ask root-DNS-Servers only, while at the same time make sure the queries send out to these servers, are all legit and can be trusted using DNSSEC?

Glad you asked.

Now to me, that came across as "I'm not going to answer the question you asked, but instead the one I think you should have asked, and I'll say 'sorry' but I'm really not."  And that might have been fine if he'd explained WHY I should have asked that question, or why he thought his answer would work best for me, or what his answer was supposed to accomplish, but he didn't.  And personally I don't think he ever intended to, he just wanted to use my post as a vehicle to demonstrate to others his superior intelligence.  I don't think it was his intent to teach something useful as much as to be just a little condescending.  And maybe he was so clever about it that no one else caught that, or maybe I took it entirely the wrong way. I don't know, but that's how it came across to me, and since I am generally not a person who suffers in silence when I think someone has insulted me in a backhanded manner, that is why I responded as I did.  Now, if Oxygen61 was genuinely trying to be helpful then I apologize profusely, but I would only point out that attempts at humor don't always come across as intended in forums such as this, and if that comment was meant to be humorous I sure didn't take it that way.  And if you are going to try to teach someone something, at least please explain what it is that you are trying to teach, and why they should want to learn it!

And that's all I have to say on the topic.  Thank you again to those who have helped me and that have posted useful information in this thread.