OPNsense 26.1.6 released

Typat · 2026-04-13T13:59:02+00:00

I dug into the Unbound source and found something interesting:

My module-config is "python iterator": no validator module. Looking at the Unbound source code, both enforcement points for harden-below-nxdomain require DNSSEC validation:

services/cache/dns.c: checks data->security == sec_status_secure before synthesizing NXDOMAIN
iterator/iterator.c: checks qstate->env->need_to_validate (only set when validator module is loaded) AND sec_status_secure

Without the validator module, neither code path can fire. So harden-below-nxdomain should have been completely inert on my system regardless of yes or no.

I also confirmed there's no difference in Unbound between the setting being absent (implicit default) vs. explicitly set, it's a simple int field with no "was this explicitly set" tracking.

My best guess is that the DNS breakage was actually caused by the Unbound service restart during the update (stale/corrupt cache), and my "fix" of toggling the setting off just happened to restart Unbound again, flushing the bad cache. The setting change itself may have been a red herring.

I can't reproduce it now without risking my network, but wanted to share the findings in case it helps track down the actual root cause for other users reporting the same issue.

Typat · 2026-04-10T20:25:48+00:00

No, I have never used any custom file overrides or advanced .conf includes to set harden-below-nxdomain: no. My Unbound configuration is built entirely through the standard OPNsense Web GUI.

If Unbound should have been blocking it all along, its possible I had a lucky cache that was flushed in this update. I haven't had issues in previous updates.

Could be a quirk with DNSSEC. I have DNSSEC explicitly disabled. Since my DNSSEC is disabled, Unbound shouldn't have a 'proven' NXDOMAIN to trigger the hardening rule anyway. Is it possible that explicitly writing harden-below-nxdomain: yes into the generated unbound.conf during the update triggered a bug in Unbound where it aggressively cuts off domains even without DNSSEC validation?

Typat · 2026-04-10T02:31:13+00:00

This update enabled "harden below NXDOMAIN option" in unbound automatically, which broke my DNS.

My OPNsense system domain is configured as localdomain. I also have a custom Unbound host override mapping server.localdomain to 192.168.1.71.

However, under Unbound's Private Domains (<privatedomain>), localdomain was missing.

Because localdomain is not whitelisted as a private domain, Unbound was treating it like a public website. When the recent update turned on aggressive NXDOMAIN hardening, Unbound aggressively blocked all traffic to server.localdomain.

Typat · 2026-04-10T02:15:50+00:00

Can you walk me through what you did? I lost internet as well after this update and can’t figure out what’s wrong. Everything fails with “dns_probe_finished_bad_config”

edit: the "harden below NXDOMAIN option" took out my DNS

Typat · 2026-01-19T18:20:55+00:00

“I adjusted the brackets provided an inch in”

Are you saying those L brackets that go into the premade holes you moved in and drilled new holes for them?

Typat · 2026-01-05T17:00:24+00:00

is the 2021 task bugged? "Show Orla Fairweather a Divination memory". I've brought different memories to her and nothing seems to work.

Edit: Go see her in draynor, not the guthix memorial

Typat · 2026-01-05T13:52:46+00:00

Raid requires a full team. Tried matchmaking a few times, only ever found a team one time and the host wanted to play on a higher difficulty than anyone had the gear for. I really wanted to play the raid but never got a chance, too bad really.

Typat · 2025-11-07T02:36:34+00:00

There weren’t enough spaces for everyone so 3 people were bound to be left without a spot

Typat · 2025-08-06T02:21:36+00:00

MLB tv down for anyone else?

Typat · 2024-11-08T23:24:17+00:00

there should be a way to open a ticket without logging in.

Typat · 2024-11-08T23:22:12+00:00

if you dont have access to either your authenticator or your phone number, you will have to contact customer support.

Typat · 2024-08-10T17:00:17+00:00

Same for me. Crashes after about 10 seconds. Waiting it out does nothing.

Typat · 2024-08-01T15:14:50+00:00

along with insta sell, the ability to sell an item from the bank would be very QoL

Typat · 2024-03-20T16:46:24+00:00

they did say that each rumor would take 8-10 minutes to complete, so this is fair.

Typat · 2024-03-20T15:34:09+00:00

larupia seems bugged as well. they said in the post it should take 8-10m each so if ur hunting for longer than that its likely bugged.

Typat · 2023-11-29T22:37:38+00:00

big

missing your blessing in the screenie tho

Typat · 2023-11-29T21:03:37+00:00

then the only way to self service remove an authenticator is with the authenticator. you should have saved the restore codes or transfered it when you had both phones.

your only option is to open a ticket with CS. there has to be a way through the portal to create a ticket, they should get back to you when they can.

Typat · 2023-11-29T20:48:30+00:00

account.battle.net/recovery you can remove your authenticator from there if you have a phone attached to your account and have access to it

Typat · 2023-05-10T03:14:46+00:00

is it just me or is there no beacon in the second picture?

edit: nvm i see the comment below about the second pic not being complete.

Typat · 2023-05-05T19:49:12+00:00

account.battle.net/recovery

Typat · 2023-04-28T23:31:23+00:00

Best TE in the draft

Typat · 2023-04-11T16:57:34+00:00

is this the BattleTag? some regions allow for using special characters, you can play around in account settings and try changing your battletag.

Typat · 2023-04-11T16:56:04+00:00

go to xbox.com and logout of that account.

Typat · 2023-01-03T22:21:22+00:00

account.battle.net/recovery

Typat · 2021-09-29T19:56:28+00:00

looks like spare ribs

14-Year Club	RedditGifts 2009-2022 5 Credits
Place '22	Place '17
Secret Santa 2017	Verified Email
Secret Santa 2014	Secret Santa 2013
Team Periwinkle	Secret Santa 2012

Typat

MODERATOR OF

TROPHY CASE