Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to dump dnsmasq and activate unbound without breaking anything?

    Scheduled Pinned Locked Moved DHCP and DNS
    15 Posts 4 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kejianshi
      last edited by

      OK - So I tested DNSSEC and my resolver does appear to be validating DNSSEC, which is good I guess.

      Tested it here

      http://dnssec.vs.uni-due.de/

      One test with all my traffic being VPN to the USA via pfsense running DNS Resolver (unbound) and one with a linux machine running straight to local ISP.
      Local failed (expected behavior)
      pfsense VPN machine passes (expected behavior)

      So, thats good.

      When I read about unbound in the pfsense manuals and the how to for 2.2, I was left with the impression that if I didn't enable forwarders that somehow root DNS servers would automagically be used, but later after getting no further repplies on the forum, I removed my list of DNS server IPs from the general setup section of pfsense and at that point pfsense stopped resolving.

      So, it seems then that I must have DNS servers listed in general setup or have the "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked.

      Is this correct because it seems so?  (This was the case using dnsmasq also)

      If so, what was all the talk about "root servers" about in default config if I still have to use servers I put in in the general setting?  (not complaining - just asking)

      1 Reply Last reply Reply Quote 0
      • BBcan177B Offline
        BBcan177 Moderator
        last edited by

        Did you enable forwarding mode in Unbound? To use recursive mode in Unbound, that needs to be disabled.

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • K Offline
          kejianshi
          last edited by

          No - It is disabled.

          https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

          Enable DNSSEC Support: Uses DNSSEC to validate DNS queries. Be aware that it is recommended to disable forwarding and allow Unbound to handle all DNS resolution via root servers, which is the default behavior.

          Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations.

          Basically I was fully expecting pfsense to resolve without that list of IPs in General setting.

          However as soon as I removed those IPs, the pfsense update status said "can not obtain update status" and soon as I put the IPs back, that cleared up.

          So yeah - A tiny bit confused there.

          1 Reply Last reply Reply Quote 0
          • BBcan177B Offline
            BBcan177 Moderator
            last edited by

            I currently have no DNS servers listed in my General Tab and the checkbox is ticked to "Not use the localhost"… But I have the same questions as you... As I am not 100% sure if its needed or not... But like I said, its working on my 2.2 box without them being listed.

            What interfaces did you select in Unbound...

            Network Interfaces  - Lan and Localhost
            Outgoing - WAN
            DNS Query Forwarding - Unchecked.

            Do you have Snort/Suricata running on this box.. There are some alerts that need to be disabled for it to work also...

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • K Offline
              kejianshi
              last edited by

              Network Interfaces  - All
              Outgoing - All
              DNS Query Forwarding - Unchecked.

              Under General Setup,  "Do not use the DNS Forwarder as a DNS server for the firewall" isn't checked (Which is the default I believe)

              My wan is IPv4 and ipv6 interface is a HE IPV6 tunnel.

              1 Reply Last reply Reply Quote 0
              • BBcan177B Offline
                BBcan177 Moderator
                last edited by

                Try to change the Interfaces to what I show in my post… The Unbound Service is running correct?

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by

                  Ok, So I removed all the DNS server IP addresses under general settings again and this time I also checked the "Do not use the DNS Forwarder as a DNS server for the firewall", and at least initially, this now seems to be working as I expected it to.

                  Seems abit odd that I'd need to uncheck a default setting to get unbound to work with what should be a default unbound setup in 2.2?

                  I will reboot pfsense, do a ipconfig /flushdns on a windows box running locally on that network and post back here the result.

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kejianshi
                    last edited by

                    Seems to be working - Guess ticking that box is required.

                    Thanks BBcan177 for the pointers - I'm still interested in hearing what the other people who are very smart about unbound have to say or any tips.

                    Also interested in tips on the Advanced tab and non-default settings.

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kejianshi
                      last edited by

                      For anyone else who might be doing this, I had to also go in and delete dnsmasq from my service watchdog list and add unbound.
                      It was throwing lots and lots of log entries.

                      So, I've rebooted my pfsense a few times now and the windows machines on that LAN.

                      The windows machines are set up to get IP and DNS server automatically from pfsense.

                      I expected to see a pfsense address for IPV4 and/or IPV6 come up when I type nslookup into windows cmd console.

                      Not what is happening though.  I am getting google IPv6 DNS server as the primary DNS for all the windows machines on the LAN.

                      Why?  This is definitely not configured on pfsense now.

                      I have issued ipconfig -release / renew and still same.

                      1 Reply Last reply Reply Quote 0
                      • K Offline
                        kejianshi
                        last edited by

                        And I also noticed that with no DNS configured in general setting that when I go to Diagnostics: Execute command and do drill google.com, it doesn't work.

                        My pfsense is working and all the computers have DNS as does my VPN, but without a dns server entered in geneeral settings that command wont work in pfsense.

                        So, I'm just asking how much of this is normal?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.