Firewall settings for unbound
Posted: Tue Dec 06, 2022 11:14 pm
I'm trying to set up pihole with unbound (on RPi), however when I set custom upstream in pihole for unbound, my internet connection is lost. Similar story is for pi-hole with stubby with NextDNS as upstream. If I set one of default upstreams in pihole like Quad9 or Google, internet works fine. Debug log of pihole is here.
Test from unbound shows this:
First command looks ok (SERVFAIL), second however shows fail (should be NOERROR). What could be wrong? Something about DNSSEC?
I guess there is problem with firewall, because query in pihole is filled (also if using NextDNS as custom upstream instead of unbound, log is filled there.) So I guess there is some rule in firewall that wont let traffic back. There is my firewall setting.
Any idea what could be wrong? Thanks. Firewall rules are too complex for me right now.
Test from unbound shows this:
Code: Select all
tobias@rpi3B:~ $ dig fail01.dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.33-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26949
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works. IN A
;; Query time: 3499 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE rcvd: 48
tobias@rpi3B:~ $ dig dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56748
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE rcvd: 41I guess there is problem with firewall, because query in pihole is filled (also if using NextDNS as custom upstream instead of unbound, log is filled there.) So I guess there is some rule in firewall that wont let traffic back. There is my firewall setting.
Code: Select all
# dec/06/2022 22:02:25 by RouterOS 7.6
# software id = 54UW-M61Q
#
# model = RBD53iG-5HacD2HnD
# serial number = ********
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes src-address=172.17.0.0/24
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.88.1 dst-port=\
888 protocol=tcp to-addresses=172.17.0.2 to-ports=80
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp