How to dump dnsmasq and activate unbound without breaking anything?
-
Definitely not urgent to do so, dnsmasq will continue to work just as it always has. You can change it if you want, how to do so depends on what you have configured in dnsmasq.
Losing DNS in the process of changing it is no big deal as long as you have a way in that will continue to function if the site has no DNS (which should be fine with any VPN or direct access to firewall, but maybe not if you're remoting in via Logmein or something like that and aren't quick enough getting DNS working again).
-
Using VPN and distant laptop accessing LAN IP of pfsense same as I would on the LAN if I were there.
Cool - So that answers half my question. Good. Thanks.
Next. What should I know about unbound before I switch? Nothing difficult or complex?
-
Next. What should I know about unbound before I switch? Nothing difficult or complex?
IIRC I had to add an ACL to allow recursive queries from my local and VPN subnets, but otherwise the defaults should get you going in no time.
-
I disabled the forwarder and enabled the resolver (unbound) without any fuss over vpn.
Still a few questions - Not quite sure what exactly unbound is doing at this point. (Everything is working, just want to get this using only root servers for both ipv4 and ipv6)
Resolver is enabled - DNSSEC is enabled - Register DHCP leases in the DNS Resolver is enabled - Register DHCP static mappings in the DNS Resolver is enabled
Everything else is left at defaults.
Now, how is that working with system > General setup ???
Where under DNS servers I have 2 ipv4 servers and 2 ipv6 servers listed? Should these be removed? Are they getting used at all? Are they overriding the normal/optimal function of unbound with DNSSEC and root servers?
Currently Allow DNS server list to be overridden by DHCP/PPP on WAN is also checked. I'm assuming that optimally I should uncheck this? But I will ask anyway. How is this functioning with unbound?
Lastly, I need to do nothing at all to get unbound with dnssec working directly with root servers? Just turn it on and its working on pfsense?
Thanks
-
OK - So I tested DNSSEC and my resolver does appear to be validating DNSSEC, which is good I guess.
Tested it here
http://dnssec.vs.uni-due.de/
One test with all my traffic being VPN to the USA via pfsense running DNS Resolver (unbound) and one with a linux machine running straight to local ISP.
Local failed (expected behavior)
pfsense VPN machine passes (expected behavior)So, thats good.
When I read about unbound in the pfsense manuals and the how to for 2.2, I was left with the impression that if I didn't enable forwarders that somehow root DNS servers would automagically be used, but later after getting no further repplies on the forum, I removed my list of DNS server IPs from the general setup section of pfsense and at that point pfsense stopped resolving.
So, it seems then that I must have DNS servers listed in general setup or have the "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked.
Is this correct because it seems so? (This was the case using dnsmasq also)
If so, what was all the talk about "root servers" about in default config if I still have to use servers I put in in the general setting? (not complaining - just asking)
-
Did you enable forwarding mode in Unbound? To use recursive mode in Unbound, that needs to be disabled.
-
No - It is disabled.
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
Enable DNSSEC Support: Uses DNSSEC to validate DNS queries. Be aware that it is recommended to disable forwarding and allow Unbound to handle all DNS resolution via root servers, which is the default behavior.
Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations.
Basically I was fully expecting pfsense to resolve without that list of IPs in General setting.
However as soon as I removed those IPs, the pfsense update status said "can not obtain update status" and soon as I put the IPs back, that cleared up.
So yeah - A tiny bit confused there.
-
I currently have no DNS servers listed in my General Tab and the checkbox is ticked to "Not use the localhost"… But I have the same questions as you... As I am not 100% sure if its needed or not... But like I said, its working on my 2.2 box without them being listed.
What interfaces did you select in Unbound...
Network Interfaces - Lan and Localhost
Outgoing - WAN
DNS Query Forwarding - Unchecked.Do you have Snort/Suricata running on this box.. There are some alerts that need to be disabled for it to work also...
-
Network Interfaces - All
Outgoing - All
DNS Query Forwarding - Unchecked.Under General Setup, "Do not use the DNS Forwarder as a DNS server for the firewall" isn't checked (Which is the default I believe)
My wan is IPv4 and ipv6 interface is a HE IPV6 tunnel.
-
Try to change the Interfaces to what I show in my post… The Unbound Service is running correct?
-
Ok, So I removed all the DNS server IP addresses under general settings again and this time I also checked the "Do not use the DNS Forwarder as a DNS server for the firewall", and at least initially, this now seems to be working as I expected it to.
Seems abit odd that I'd need to uncheck a default setting to get unbound to work with what should be a default unbound setup in 2.2?
I will reboot pfsense, do a ipconfig /flushdns on a windows box running locally on that network and post back here the result.
-
Seems to be working - Guess ticking that box is required.
Thanks BBcan177 for the pointers - I'm still interested in hearing what the other people who are very smart about unbound have to say or any tips.
Also interested in tips on the Advanced tab and non-default settings.
-
For anyone else who might be doing this, I had to also go in and delete dnsmasq from my service watchdog list and add unbound.
It was throwing lots and lots of log entries.So, I've rebooted my pfsense a few times now and the windows machines on that LAN.
The windows machines are set up to get IP and DNS server automatically from pfsense.
I expected to see a pfsense address for IPV4 and/or IPV6 come up when I type nslookup into windows cmd console.
Not what is happening though. I am getting google IPv6 DNS server as the primary DNS for all the windows machines on the LAN.
Why? This is definitely not configured on pfsense now.
I have issued ipconfig -release / renew and still same.
-
And I also noticed that with no DNS configured in general setting that when I go to Diagnostics: Execute command and do drill google.com, it doesn't work.
My pfsense is working and all the computers have DNS as does my VPN, but without a dns server entered in geneeral settings that command wont work in pfsense.
So, I'm just asking how much of this is normal?