• I've been searching the internet and trying things for a couple days now. Gotten nowhere unfortunately...

    The Issue

    I have a new IoT VLAN setup recently but I can't seem to get DNS responding on it. Every time I attempt to query DNS from the VLAN I get the following in the DNS Resolver System logs.

    Aug 13 13:55:23	unbound	74958:2	notice: remote address is X.X.77.100 port 61914
    Aug 13 13:55:23	unbound	74958:2	notice: sendto failed: Invalid argument
    Aug 13 13:55:23	unbound	74958:3	notice: remote address is X.X.77.100 port 37356
    Aug 13 13:55:23	unbound	74958:3	notice: sendto failed: Invalid argument
    

    I have DNS working just fine on all other VLANs in the network no problem. The IoT VLAN is the only one with the issue.


    Troubleshooting Steps

    • Attempted with multiple different devices
    • Mirrored over firewall rules from a functional VLAN
    • Added an allow all to all rule in the IoT VLAN firewall
    • Disabled DNSSEC
    • Validated Unbound access lists
    • Disabled pfBlockedNG
    • Disabled all VPN clients and Servers within pfSense
    • Attempted pings between devices on the VLAN (successful)
    • Attempted allowing 8.8.8.8 through the firewall for clients to query for DNS, still didn't work. Which makes me thing it might not be an Unbound issue.

    Network Information

    Overview

    Router/Firewall: pfSense
    Wireless APs: Ubiquity Unifi (These APs tag the traffic with the appropriate VLAN based of the SSID) These APs are how all VLAN clients connect to the network.
    Switches: TP-Link dumb switch
    Other Info:

    • The VLANs in question are all using the same physical interface (Intel)
    • There are 2 OpenVPN Servers configured , only for different VLANs
    • All clients are assigned IP address by DHCP
      • DCHP returns the X.X.Y.1 as the primary DNS server where X.X is the main Network octets and Y is the sub network octet (generally matching the VLAN ID)

    Firewall

    Working VLAN Firewall:
    viki_net_firewall.PNG

    IoT VLAN Firewall:
    iot_net_firewall.PNG

    Floating Rules:
    All interfaces - Allow TCP/UDP - From * - To This Firewall - DNS(53)

    Unbound Configuration

    server:
    chroot: /var/unbound
    username: "unbound"
    directory: "/var/unbound"
    pidfile: "/var/run/unbound.pid"
    use-syslog: yes
    port: 53
    verbosity: 1
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    module-config: "validator iterator"
    unwanted-reply-threshold: 0
    num-queries-per-thread: 512
    jostle-timeout: 200
    infra-host-ttl: 900
    infra-cache-numhosts: 10000
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    edns-buffer-size: 4096
    cache-max-ttl: 86400
    cache-min-ttl: 0
    harden-dnssec-stripped: yes
    msg-cache-size: 4m
    rrset-cache-size: 8m
    num-threads: 4
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    outgoing-range: 4096
    auto-trust-anchor-file: /var/unbound/root.key
    prefetch: yes
    prefetch-key: yes
    use-caps-for-id: no
    serve-expired: no
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: yes
    tls-cert-bundle: "/etc/ssl/cert.pem"
    tls-port: 853
    tls-service-pem: "/var/unbound/sslcert.crt"
    tls-service-key: "/var/unbound/sslcert.key"
    interface-automatic: no
    interface: 0.0.0.0
    interface: 0.0.0.0@853
    interface: ::0
    interface: ::0@853
    private-address: 127.0.0.0/8
    private-address: 10.0.0.0/8
    private-address: ::ffff:a00:0/104
    private-address: 172.16.0.0/12
    private-address: ::ffff:ac10:0/108
    private-address: 169.254.0.0/16
    private-address: ::ffff:a9fe:0/112
    private-address: 192.168.0.0/16
    private-address: ::ffff:c0a8:0/112
    private-address: fd00::/8
    private-address: fe80::/10
    include: /var/unbound/access_lists.conf
    include: /var/unbound/host_entries.conf
    include: /var/unbound/dhcpleases_entries.conf
    include: /var/unbound/domainoverrides.conf
    server:include: /var/unbound/pfb_dnsbl.*conf
    include: /var/unbound/remotecontrol.conf
    

    Thanks for any help you guys can give.