UnBound + OpenDNS nxdomain

geeknik · Jan 20, 2011, 3:42 PM

I have a question about UnBound DNS.

I have dnsmasq disabled, OpenDNS is in System: General setup. Normal DNS lookups work fine, I see Borat as well, but if I ping a non-existant hostname, I'm getting results like this:

64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_req=1 ttl=55 time=16.7 ms

Obviously UnBound isn't working 100%, so what can I do to fix this. Is it because I'm MultiWAN or…?

jimp · Jan 20, 2011, 3:50 PM

I split this post off into its own thread, as it was a new unrelated question.

OpenDNS is not returning an nxdomain response for a non-existent domain, it returns one of their servers so you land on a "friendly" page (with ads) that says the domain doesn't exist when you try it in a browser.

geeknik · Jan 20, 2011, 4:07 PM

Sorry about where I posted the question. However, why would OpenDNS be responding if I have UnBound enabled? Shouldn't the router be ignoring the OpenDNS settings I have? In the DHCP server, I have the IP of the router being sent out for the DNS server, not the OpenDNS IPs.

jimp · Jan 20, 2011, 4:20 PM

It depends on how you have Unbound setup. IIRC it can work either way, either using your configured DNS servers as forwarders, or it can talk directly to the root servers.

johnpoz · Jan 20, 2011, 4:23 PM

you want to make sure you uncheck the forwarder mode – see attached image

jlepthien · Jan 20, 2011, 7:29 PM

Also note that DNSSEC is not working with OpenDNS. They go with DNSCurve….

geeknik · Jan 20, 2011, 8:46 PM

I don't have forwarder mode enabled. Which is why I'm confused why it's still forwarding.

wagonza · Jan 20, 2011, 9:02 PM

@geeknik:

I have a question about UnBound DNS.

I have dnsmasq disabled, OpenDNS is in System: General setup. Normal DNS lookups work fine, I see Borat as well, but if I ping a non-existant hostname, I'm getting results like this:

64 bytes from hit-nxdomain.opendns.com (67.215.65.132): icmp_req=1 ttl=55 time=16.7 ms

Obviously UnBound isn't working 100%, so what can I do to fix this. Is it because I'm MultiWAN or…?

Where are you pinging from pfSense or your desktop? If it is the latter ensure that pfSense is definitely your DNS server. If it is the former then log onto your machine via ssh/console and execute 'unbound-control forward'.

You should see something like this


# unbound-control forward
off (using root hints)
#

geeknik · Jan 22, 2011, 7:32 PM

Pinging from my desktop machines, which are assigned everything via DHCP. The DHCP server is giving out the OpenDNS IPs and not the pfSense IP for DNS. And I ran that command, forwarding is off.

Unbound keeps dying though. And when it goes, the whole web gui for pfsense quits responding. Restarting the gui through SSH doesn't do anything. I have to reboot the entire machine and 50% of the time when it comes back up, Unbound isn't even listed as installed and DNSMasq is re-enabled.

mromero · Jan 22, 2011, 10:28 PM

What build are you using?

Added to the mess with the lockups on this week's builds I am afraid to try out any new snapshot :P

@geeknik:

Pinging from my desktop machines, which are assigned everything via DHCP. The DHCP server is giving out the OpenDNS IPs and not the pfSense IP for DNS. And I ran that command, forwarding is off.

Unbound keeps dying though. And when it goes, the whole web gui for pfsense quits responding. Restarting the gui through SSH doesn't do anything. I have to reboot the entire machine and 50% of the time when it comes back up, Unbound isn't even listed as installed and DNSMasq is re-enabled.

jimp · Jan 22, 2011, 10:42 PM

@geeknik:

The DHCP server is giving out the OpenDNS IPs and not the pfSense IP for DNS.

There's your problem, your local clients aren't using Unbound to resolve, they're using OpenDNS.

Have your DHCP server hand out the router's IP for DNS (just leave that part blank) and you will probably get the results you're after.

geeknik · Jan 22, 2011, 10:45 PM

@mromero:

What build are you using?

Added to the mess with the lockups on this week's builds I am afraid to try out any new snapshot :P

Tried every build this week. =)

@jimp:

@geeknik:

The DHCP server is giving out the OpenDNS IPs and not the pfSense IP for DNS.

There's your problem, your local clients aren't using Unbound to resolve, they're using OpenDNS.

Have your DHCP server hand out the router's IP for DNS (just leave that part blank) and you will probably get the results you're after.

It has been blank. I even tried telling the DHCP server to hand out 10.0.0.254, but that didn't seem to do anything. I think when the RC comes out I will wipe this machine and do a fresh install and start over. I've been upgrading builds over builds for a few months now, something is gumming up the works. ;)

jlepthien · Jan 22, 2011, 10:46 PM

@jimp:

@geeknik:

The DHCP server is giving out the OpenDNS IPs and not the pfSense IP for DNS.

There's your problem, your local clients aren't using Unbound to resolve, they're using OpenDNS.

Have your DHCP server hand out the router's IP for DNS (just leave that part blank) and you will probably get the results you're after.

He has to set the router ip explicitly otherwise he's getting the regular dns servers from General settings. Had this problem in the beginning, too. (when using Unbound)

jimp · Jan 22, 2011, 10:47 PM

If you hardcode it, it should work, though I bet because the DNS Forwarder setting is off, blank in the DHCP server defaults to giving out the system assigned IPs. Not sure how Unbound works around that (if it does).

jimp · Jan 22, 2011, 10:49 PM

@jlepthien:

He has to set the router ip explicitly otherwise he's getting the regular dns servers from General settings. Had this problem in the beginning, too. (when using Unbound)

I realized that right after I hit submit :-)

jlepthien · Jan 22, 2011, 10:52 PM

@jimp:

@jlepthien:

He has to set the router ip explicitly otherwise he's getting the regular dns servers from General settings. Had this problem in the beginning, too. (when using Unbound)

I realized that right after I hit submit :-)

Hehe ;)

wagonza · Jan 24, 2011, 8:25 AM

@geeknik:

Pinging from my desktop machines, which are assigned everything via DHCP. The DHCP server is giving out the OpenDNS IPs and not the pfSense IP for DNS. And I ran that command, forwarding is off.

I need to update http://doc.pfsense.org/index.php/Unbound_package to reflect that one needs to add the pfSense IP to the DHCP DNS Server settings. Otherwise currently pfSense dishes out the DNS Servers defined in General.

@geeknik:

Unbound keeps dying though. And when it goes, the whole web gui for pfsense quits responding. Restarting the gui through SSH doesn't do anything. I have to reboot the entire machine and 50% of the time when it comes back up, Unbound isn't even listed as installed and DNSMasq is re-enabled.

What does /var/log/unbound.log and /var/log/system.log say? It sounds like your config gets rolled back due to a problem hence why DNSMasq is re-enabled and unbound is not listed as installed. /var/log/system.log should give more info on this problem.