Lmst

Good grief. Huge list of implemented RFCs and no 2136, also no straightforward API docs and the SDK or whatever is Python.

https://unbound.docs.nlnetlabs.nl/en/latest/reference/rfc-compliance.html

#Unbound #UnboundDNS #DNS #Networking

This seems to leave our options at either having the machines themselves do DDNS with an actual public domain or I write something up to interface with the OPNsense API to manage Unbound overrides. If Unbound has a decent API it might be better to code against that. But what interface to expose? RFC2136 is theoretically the standard for DDNS but my hunch is that's about as popular as mDNS. Still, I might be able to find some existing clients or tools for that. Alternatively I could have the program browse mDNS responses and create overrides for all found, which centralizes the responsibility nicely...

#DNS #mDNS #OPNsense #Unbound #UnboundDNS

Actually it looks like one of my VPS IPv6 changed which I used for Monitoring the IPv6 WAN Gateway in #OPNsense..
additionally python used nearly 100% CPU.. which was the Netflow. Don’t know why I had this on.
So I‘m not monitoring the Gateway anymore for now to keep is just running.

CPU is down again to max 30%.

And having DNS on that same host is really bad, because my whole HomeLab including HomeAssistant dies even for reaching local systems.

#ItsAlwaysDNS #HomeLab #UnboundDNS

Sometimes it’s just…. DNS.
#ItsAlwaysDNS

Connections have being really slow today and some of my scripts reaching local #HomeLab service have been also slow.

It was #UnboundDNS. A restart of #OPNsense after the latest hotfix update solved the issue.

@badnetmask @kamyk @kevin +1 but with #UnboundDNS on #OPNsense

Removed the #DNS forwarding in #UnboundDNS and just doing recursive resolution for now.

Works pretty well since yesterday, nothing really slow or something. Also checked DNS leak tests etc., but only the IPv4 shared across multiple households is showing up. So.. fine.

I enabled the following settings additionally to the defaults:
- Enable DNSSEC Support (not sure if that was the default)
- Hide Identity
- Hide Version
- Prefetch DNS Key Support
- Aggressive NSEC
- Prefetch Support

Screenshot of some statistics.

Recursion time (average): 0.083887
Recursion time (median): 0.0121998
TCP usage: 0
IP ratelimited queries: 0
Recursive replies: 78712
Cache misses: 78712
Cache hits: 40856
Serve expired: 0
Prefetch: 2455
Queries: 119568
Request queue avg: 0.662745
Request queue max: 45
Request queue overwritten: 0
Request queue exceeded: 0
Request queue size (all): 0
Request queue size (client): 0

#TIL 1/2 Do not use any IP (v4 or v6) as Gateway Monitor IP if you need it somewhere else in #OPNsense.
OPNSense creates a new route for the monitoring IPs, which make it only usable for this.
Broke my #UnboundDNS.

Let's say you are hosting a cloud VM for free but changing instances, shutting down etc., make sure to update your DNS records if you are pointing to this VM.

Public IPs of these VMs are getting reused by others.
That should be clear.
But I was suprised to see many DNS queries in my #UnboundDNS to that DNS name...turns out I HAD prometheus monitoring setup to the cloud VM.

Checking the DNS via https turned to TLS error, because... yeah its a server for role play games now.

#LessonLearned

@mike #UnboundDNS on #OPNsense

Works great, also supports many blocklists like AdGuard, Easylist etc. and comes with nice monitoring dashboard.. at least on OPNsense.

Trying to figure out how to forward an entire domain, including subdomains, to another DNS server using #UnboundDNS. It seems that foward-zone only works with FQDNs, so using a name value of "example.com" does not match "subdomain.example.com".

It also would be nice if I could configure Unbound to enable recursion on forwarded queries.

Here's what I have so far:

forward-zone:
        forward-first: yes
        name: "example.com"
        forward-addr: 172.16.2.10

But queries for subdomain.example.com return NXDOMAIN.

Anyone have any ideas, non-xkcd pointers, or suggestions?

I would really like to know what happened to Unbound DNS or my home network yesterday during this time.

I was using Quad9 with DNS over TLS as my upstream DNS provider.

Symptoms:
- Some internal and outbound connections continued to work, I could still load and reload some Web sites
- Other internal and outbound connections failed, mostly with DNS failures/timeouts
- Affected Macs (home and work), HomePod minis (streaming stopped)

#opnsense #unbound #unbounddns #dns #network #problem

Screenshot of OPNsense > Reporting > Unbound DNS page. Shows graphs of queries over last 24 hours and plot of client activity for same timeframe. Focus on period from between 7-11:30 a.m. on 2023-09-15 with NO queries or activity appear. Wonder what is happening during that period, when I saw problems on my home network.

I recently replaced Pfsense with Opnsense for two main reasons. I had wanted to try out and compare Opnsense. I was also hoping the different integration of DHCP leases with the local Unbound DNS would help my maddening UniFi AP dropout problem, since that seemed to hinge on DNS resolution of the UniFi Inform URL.

#Pfsense #Opnsense #DHCP #DNS #Unbound #UnboundDNS #UniFi #UniFiController

Pulling out the little bit of hair I have left 😉

Swapped by web server DNS entry to a new server & everything was resolving properly EXCEPT when it tried to use IPv6. To be clear, all IPv4 and IPv6 addresses had been updated on all the A/AAAA records and had propagated.

#UnboundDNS running under #OPNsense seemed to be returning the old IP and for some reason, switching to a public DNS server or disabling DNSSEC support on Unbound fixed it? How does that even happen? Still unclear on the why…

#UnboundDNS

Client Info