DNS: Plain Unbound works, Quad9 almost...
-
Hi,
I have a dream... Which is to have two working configurations for DNS through pfSense. Those two are
- Unbound Resolver with quad9 through TLS
- Unbound Resolver with no forwarder
I have this webmail which, together with Netflix is not resolving correctly using Quad9 lately. It's surely an issue on my end as they work fine using Unbound with no upstream DNS. I have been at it back and forth, and started from scratch (DNS-wise), I always end up with not getting Quad9 to fully resolve everything. Digging in the logs, I found it to complain about DNSSEC, which I had disabled (was accepted before), but no matter what it keep complaining. If it is disabled, howcome it will still nag about it? I have tried reloading, even restarting pfSense.
Unbound Resolver
This seems to work the best. Simple config;- Removed all DNS under
General / Settings - Enabled DNSSEC / Hardening DNSSEC (on advanced page)
- Disabled forwarding
- Disabled option for TLS for forwarding requests
- Disable Strict Query Name Minimization
- FW rules that point to pfSense from all relevant networks
Quad9
Here I see issues with not being able to resolve the webmail, or more accurately, after having logged on, it cannot redirect, so fails with a stupid "site not found".
Config:- Set default Quad9 IP & dns name's under
General / Settings - Enabled forwarding mode
- Enabled option for TLS for forwarding requests
I may have missed something, but should be most of it. Please comment if you have thoughts or ideas.
Thanks
-
@furom if forwarding, disable DNSSEC. 23.01 seems to have more issues I didn’t see in prior versions.
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS -
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
@furom if forwarding, disable DNSSEC. 23.01 seems to have more issues I didn’t see in prior versions.
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLSThanks, Yes, I tried that, but as mentioned, it kept nagging about it in the log. Not sure that was the cause to why sites fails to resolve fully though. Both sites work partially using Quad9, and I know the webmail want's to redirect, it may be same for Netflix...?
-
@furom I did forget to disable
Strict Query Name Minimizationwhen not using forwarder... Editing above. Still not gotten the other one to work well again.. -
@furom I don’t have a great answer…have seen multiple threads about DNS in 23.01 but I’ve had no issues forwarding to Quad9 after disabling DNSSEC. Which we had enabled on several routers in 22.05 and earlier. Maybe the new unbound is more sensitive?
-
@furom Switch to Cloudflare DNS, no DNSSEC, TLS enabled.
Or Quad9 no DNSSEC, no TLS.
We are testing Quad9, no DNSSEC, TLS, both pre-fetch options on.
-
If you want a Quad9 equivalent on Cloudflare use these instead of 1.1.1.1
1.1.1.2
1.0.0.2
security.cloudflare-dns.com -
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
@furom I don’t have a great answer…have seen multiple threads about DNS in 23.01 but I’ve had no issues forwarding to Quad9 after disabling DNSSEC. Which we had enabled on several routers in 22.05 and earlier. Maybe the new unbound is more sensitive?
I think you may be right. Perhaps it was tolerating what was restored from backup, but reconfiguring may be something else... Anyways, with the last edit I got it to work well with no forwarders at least. Only minor issue I had was forgetting to turn on the fw rules before deactivating the NAT rule I had in place... lol. So a little bummed for a few minutes (while Netfix were running great, almost all else lacked DNS) until I thought of trying the console... And it totally saved the day! Overall I am soooo happy with pfSense/Netgate!!
-
@cylosoft said in DNS: Plain Unbound works, Quad9 almost...:
If you want a Quad9 equivalent on Cloudflare use these instead of 1.1.1.1
1.1.1.2
1.0.0.2
security.cloudflare-dns.comThanks! I will give that a go as well to see if it behaves differently :)
-
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
Something in this blog caught my eye
If your network does not have IPv6, which you can test here, then IPv6 addresses should not be added, as it may result in a percentage of your DNS requests failing.Whilst I don't have IPv6 or the address listed, this did trigger me to go into pfsese / System /Advanced /Networking and unchecked Allow IP6
I am getting some query's dropped from Windows devices seemingly at random, restarting unbound can sometimes help.
-
@jasonau said in DNS: Plain Unbound works, Quad9 almost...:
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
Something in this blog caught my eye
If your network does not have IPv6, which you can test here, then IPv6 addresses should not be added, as it may result in a percentage of your DNS requests failing.Whilst I don't have IPv6 or the address listed, this did trigger me to go into pfsese / System /Advanced /Networking and unchecked Allow IP6
I am getting some query's dropped from Windows devices seemingly at random, restarting unbound can sometimes help.
Thanks for trying! Unfortunately no IPv6 involved. Lookup to destinations work, what is failing is their redirects to the target after logging in
-
@furom said in DNS: Plain Unbound works, Quad9 almost...:
Unbound Resolver with quad9 through TLS
Unbound Resolver with no forwarderI've been using the resolver as a resolver for .... 10 years or so.
Never had an issue.Just for the fun, I'm forwarding to 1.1.1.1 and 2606:4700:4700::1111, as I use IPv6 and IPv4 for the old stuff), and because why not : over TLS using port 853.
No issues neither.Btw : 1.1.1.1 (or 8.8.8.8 or 9.9.9.69) are all resolver.
What they can do, so can unbound, the pfSense's resolver. -
G Gertjan referenced this topic on