To pinpoint we need the last know good release?

Well, I did a fresh install from 18.7.5 and upgraded to latest release. I must admit, I do not know whether I tested forwarding before or after upgrade.
I just know that I redirect any dns query to local unbound resolver and then I checked via tcpdump which dns queries I see on which interface.

Initially it worked like designed. Clients requested either with dhcp assigned opnsense as resolver or if a static dns was set as foreign one which gets redirected to opnsense. opnsense itself just queried my configured dns forwarders. Yesterday when I checked again, I saw many queries from opnsense itself to other dns servers, doing recursive queries.

I checked the source and the problem exists in /usr/local/etc/inc/plugins.inc.d/unbound.inc.
The expression isset($config['unbound']['forwarding']) is true (1), but this code block has problems with the assignments to array $dnsservers[]. The var $nameserver is set correctly in each block, but $dnsservers[] is empty after this block and thus the last expression !empty($dnsservers) evals to false.

if (isset($config['system']['dnsallowoverride'])) {
            foreach (get_nameservers() as $nameserver) {
                $dnsservers[] = $nameserver;
            }
        } else {
            foreach (get_dns_servers() as $nameserver) {
                $dnsservers[] = $nameserver;
            }
        }

        if (!empty($dnsservers)) {
...

Hint: for debugging I just added a line $forward_conf .=$nameserver in a foreach loop to check whether get_nameservers() and get_dns_servers() return values - what they did. I just wondered why 127.0.0.1 was listed as first nameserver. When using unbound as forwarder, why should it forward (loop) to itself? Maybe 127.0.0.1 should be excluded.

I just added the lines:

$dnsservers[0] = "192.xxx.xxx.xx1";
$dnsservers[1] = "192.xxx.xxx.xx2";
$dnsservers[2] = "192.xxx.xxx.xx3";

before
if (!empty($dnsservers)) {

and now since array is explicitely filled, the expression is true and my manually hard coded forwarders get added into config. The problem is definitively that the assignment in both foreach loops do not seem to work and the array is still empty afterwards.

I see what you're saying. Let me work on this, I think get_dns_servers() should be removed completely as it has side-effects. It's only used once really in the unbound code and dnsmasq does this more gracefully already (good comparison for forwarding mode).

Can you try this patch? 5cf8b4f2e

# opnsense-patch 5cf8b4f2e

Thanks,
Franco

I can try it on Monday.

Am Fr., 7. Dez. 2018, 13:33 hat Franco Fichtner notifications@github.com
geschrieben:

Can you try this patch? 5cf8b4f
https://github.com/opnsense/core/commit/5cf8b4f2e247ae398b412b95770c7777e079110e

opnsense-patch 5cf8b4f2e

Thanks,
Franco

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/opnsense/core/issues/3020#issuecomment-445219586, or mute
the thread
https://github.com/notifications/unsubscribe-auth/ArSV-kSfJuWJiVacKCCuz9hx10khLuK7ks5u2mApgaJpZM4ZGvJr
.

@Kimotu not trying to rush you but if you can confirm today I can shortcut this to 18.7.9 for Wednesday :)

@fichtner Sorry for late answer, but I was ill.

I applied the patch and forwarders get added as expected. So your fix works.

Thanks, will ship in 18.7.10. 18.7.9 is going out today so you will need to reapply the patch after update.

Hope you're feeling better!

Cheers,
Franco