DNS: Plain Unbound works, Quad9 almost...
-
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
@furom if forwarding, disable DNSSEC. 23.01 seems to have more issues I didn’t see in prior versions.
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLSThanks, Yes, I tried that, but as mentioned, it kept nagging about it in the log. Not sure that was the cause to why sites fails to resolve fully though. Both sites work partially using Quad9, and I know the webmail want's to redirect, it may be same for Netflix...?
-
@furom I did forget to disable
Strict Query Name Minimizationwhen not using forwarder... Editing above. Still not gotten the other one to work well again.. -
@furom I don’t have a great answer…have seen multiple threads about DNS in 23.01 but I’ve had no issues forwarding to Quad9 after disabling DNSSEC. Which we had enabled on several routers in 22.05 and earlier. Maybe the new unbound is more sensitive?
-
@furom Switch to Cloudflare DNS, no DNSSEC, TLS enabled.
Or Quad9 no DNSSEC, no TLS.
We are testing Quad9, no DNSSEC, TLS, both pre-fetch options on.
-
If you want a Quad9 equivalent on Cloudflare use these instead of 1.1.1.1
1.1.1.2
1.0.0.2
security.cloudflare-dns.com -
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
@furom I don’t have a great answer…have seen multiple threads about DNS in 23.01 but I’ve had no issues forwarding to Quad9 after disabling DNSSEC. Which we had enabled on several routers in 22.05 and earlier. Maybe the new unbound is more sensitive?
I think you may be right. Perhaps it was tolerating what was restored from backup, but reconfiguring may be something else... Anyways, with the last edit I got it to work well with no forwarders at least. Only minor issue I had was forgetting to turn on the fw rules before deactivating the NAT rule I had in place... lol. So a little bummed for a few minutes (while Netfix were running great, almost all else lacked DNS) until I thought of trying the console... And it totally saved the day! Overall I am soooo happy with pfSense/Netgate!!
-
@cylosoft said in DNS: Plain Unbound works, Quad9 almost...:
If you want a Quad9 equivalent on Cloudflare use these instead of 1.1.1.1
1.1.1.2
1.0.0.2
security.cloudflare-dns.comThanks! I will give that a go as well to see if it behaves differently :)
-
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
Something in this blog caught my eye
If your network does not have IPv6, which you can test here, then IPv6 addresses should not be added, as it may result in a percentage of your DNS requests failing.Whilst I don't have IPv6 or the address listed, this did trigger me to go into pfsese / System /Advanced /Networking and unchecked Allow IP6
I am getting some query's dropped from Windows devices seemingly at random, restarting unbound can sometimes help.
-
@jasonau said in DNS: Plain Unbound works, Quad9 almost...:
@steveits said in DNS: Plain Unbound works, Quad9 almost...:
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
Something in this blog caught my eye
If your network does not have IPv6, which you can test here, then IPv6 addresses should not be added, as it may result in a percentage of your DNS requests failing.Whilst I don't have IPv6 or the address listed, this did trigger me to go into pfsese / System /Advanced /Networking and unchecked Allow IP6
I am getting some query's dropped from Windows devices seemingly at random, restarting unbound can sometimes help.
Thanks for trying! Unfortunately no IPv6 involved. Lookup to destinations work, what is failing is their redirects to the target after logging in
-
@furom said in DNS: Plain Unbound works, Quad9 almost...:
Unbound Resolver with quad9 through TLS
Unbound Resolver with no forwarderI've been using the resolver as a resolver for .... 10 years or so.
Never had an issue.Just for the fun, I'm forwarding to 1.1.1.1 and 2606:4700:4700::1111, as I use IPv6 and IPv4 for the old stuff), and because why not : over TLS using port 853.
No issues neither.Btw : 1.1.1.1 (or 8.8.8.8 or 9.9.9.69) are all resolver.
What they can do, so can unbound, the pfSense's resolver. -
G Gertjan referenced this topic on