Unbound DNS Question (with some pihole thrown in)

Jump to latest Follow Reply
Muted (0)
Pocky Is God

Pocky Is God

Ars Legatus Legionis
24,450
  • #1
    So I am using OPNSense (love it), and Unbound on said box. Am trying to get to an address that I know is up, but that my DNS cannot resolve. I do have the option to forward queries to name servers it cannot resolve (Using Cloudflare and OpenDNS) and still, it cannot get to this address. Shouldn't my machine forward queries it itself cannot resolve until it gets to the address in question? Do I have something configured incorrectly?

    And yes, I'm trying to watch some weird Anime my buddy recommended. Don't judge me.
     
    E

    evan_s

    Ars Tribunus Angusticlavius
    7,315
    Subscriptor
  • #2
    If you have a piHole setup I'd check that and make sure it isn't being blocked there. If it's in the block list that would stop the progression of look ups and just return a not exists message. If the look ups kept going up the chain when the piHole blocked it that would defeat the whole point of blocking as you'd still end up getting the server address anyway. I'd try manually setting the DNS on one machine to CloudFlare or OpenDNS and confirm you can access the site.
     
    S

    spiralscratch

    Ars Tribunus Militum
    2,927
    Subscriptor
  • #3
    Yeah, my bet is also on the Pi-Hole blocking the query if it's just one or a few hosts that are problematic. Its logs should show what queries are being dropped.

    A simple diagnostic might be to use the dig command to run test queries against the various resolvers in the chain to see where it's getting lost. e.g.:

    Code: 
    dig <hostname> # this uses the local resolver
dig @<pi-hole addr> <hostname>
dig @<unbound addr> <hostname>
dig @<upstream addr> <hostname>
     
    • Like
    Reactions: wxfisch
    wxfisch

    wxfisch

    Ars Scholae Palatinae
    949
    Subscriptor++
  • #4
    spiralscratch said:
    Yeah, my bet is also on the Pi-Hole blocking the query if it's just one or a few hosts that are problematic. Its logs should show what queries are being dropped.

    A simple diagnostic might be to use the dig command to run test queries against the various resolvers in the chain to see where it's getting lost. e.g.:

    Code: 
    dig <hostname> # this uses the local resolver
dig @<pi-hole addr> <hostname>
dig @<unbound addr> <hostname>
dig @<upstream addr> <hostname>
    Click to expand...
    I use this quite often when I have odd DNS lookup issues on my recursive pi-hole. I did learn that Tailscale did odd things to the DNS settings on my Pi-hole box when I had it setup and would cause lookups to somewhat randomly fail because pi-hole would lose its settings to go to localhost for the unbound lookup and instead would send them to Tailscale which just sent them back to the pi-hole.
    I never did fix that issue, instead just ripped Tailscale out of the network and use UniFi Identity to VPN to my network when I need to now.
     
    Pocky Is God

    Pocky Is God

    Ars Legatus Legionis
    24,450
  • #5
    Here is the straight Unbound DNS, without hitting pihole:

    1756946185383.png
     
    Paladin

    Paladin

    Ars Legatus Legionis
    33,531
    Subscriptor
  • #13
    Yeah I would also bet some kind of policy causing that on the opnsense/unbound setup. It should either have a log for blocked attempts or an option to log that kind of thing.

    And Mac can have some odd behavior if you have any of the security/privacy features turned on in the OS or applications. It can proxy all kinds of traffic to external resources, VPNs, DNS-Sec services, etc.
     
    You must log in or register to reply here.
    Jump to latest Follow Reply
    Jump to latest Follow Reply