How to dump dnsmasq and activate unbound without breaking anything?
-
OK - So I tested DNSSEC and my resolver does appear to be validating DNSSEC, which is good I guess.
Tested it here
http://dnssec.vs.uni-due.de/
One test with all my traffic being VPN to the USA via pfsense running DNS Resolver (unbound) and one with a linux machine running straight to local ISP.
Local failed (expected behavior)
pfsense VPN machine passes (expected behavior)So, thats good.
When I read about unbound in the pfsense manuals and the how to for 2.2, I was left with the impression that if I didn't enable forwarders that somehow root DNS servers would automagically be used, but later after getting no further repplies on the forum, I removed my list of DNS server IPs from the general setup section of pfsense and at that point pfsense stopped resolving.
So, it seems then that I must have DNS servers listed in general setup or have the "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked.
Is this correct because it seems so? (This was the case using dnsmasq also)
If so, what was all the talk about "root servers" about in default config if I still have to use servers I put in in the general setting? (not complaining - just asking)
-
Did you enable forwarding mode in Unbound? To use recursive mode in Unbound, that needs to be disabled.
-
No - It is disabled.
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
Enable DNSSEC Support: Uses DNSSEC to validate DNS queries. Be aware that it is recommended to disable forwarding and allow Unbound to handle all DNS resolution via root servers, which is the default behavior.
Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations.
Basically I was fully expecting pfsense to resolve without that list of IPs in General setting.
However as soon as I removed those IPs, the pfsense update status said "can not obtain update status" and soon as I put the IPs back, that cleared up.
So yeah - A tiny bit confused there.
-
I currently have no DNS servers listed in my General Tab and the checkbox is ticked to "Not use the localhost"… But I have the same questions as you... As I am not 100% sure if its needed or not... But like I said, its working on my 2.2 box without them being listed.
What interfaces did you select in Unbound...
Network Interfaces - Lan and Localhost
Outgoing - WAN
DNS Query Forwarding - Unchecked.Do you have Snort/Suricata running on this box.. There are some alerts that need to be disabled for it to work also...
-
Network Interfaces - All
Outgoing - All
DNS Query Forwarding - Unchecked.Under General Setup, "Do not use the DNS Forwarder as a DNS server for the firewall" isn't checked (Which is the default I believe)
My wan is IPv4 and ipv6 interface is a HE IPV6 tunnel.
-
Try to change the Interfaces to what I show in my post… The Unbound Service is running correct?
-
Ok, So I removed all the DNS server IP addresses under general settings again and this time I also checked the "Do not use the DNS Forwarder as a DNS server for the firewall", and at least initially, this now seems to be working as I expected it to.
Seems abit odd that I'd need to uncheck a default setting to get unbound to work with what should be a default unbound setup in 2.2?
I will reboot pfsense, do a ipconfig /flushdns on a windows box running locally on that network and post back here the result.
-
Seems to be working - Guess ticking that box is required.
Thanks BBcan177 for the pointers - I'm still interested in hearing what the other people who are very smart about unbound have to say or any tips.
Also interested in tips on the Advanced tab and non-default settings.
-
For anyone else who might be doing this, I had to also go in and delete dnsmasq from my service watchdog list and add unbound.
It was throwing lots and lots of log entries.So, I've rebooted my pfsense a few times now and the windows machines on that LAN.
The windows machines are set up to get IP and DNS server automatically from pfsense.
I expected to see a pfsense address for IPV4 and/or IPV6 come up when I type nslookup into windows cmd console.
Not what is happening though. I am getting google IPv6 DNS server as the primary DNS for all the windows machines on the LAN.
Why? This is definitely not configured on pfsense now.
I have issued ipconfig -release / renew and still same.
-
And I also noticed that with no DNS configured in general setting that when I go to Diagnostics: Execute command and do drill google.com, it doesn't work.
My pfsense is working and all the computers have DNS as does my VPN, but without a dns server entered in geneeral settings that command wont work in pfsense.
So, I'm just asking how much of this is normal?
