OPNsense Forum
English Forums => General Discussion => Topic started by: tvtr on March 19, 2023, 06:55:27 pm
-
Hi, I’m using the DNSCrypt-Proxy plugin with the opnsense router.
I set the router firewall to block access to the internet so my DNS is local only.
The problem is that when a DNS request for non-existing domain is made, instead of replying immediately that this domain does not exist, the DNSCrypt-Proxy doesn’t respond at all. In the logs I see response code NOT READY, but in the nslookup request I don’t get any response (just timeout after 2 sec).
Is there some configuration that I can do so the plugin will response with error code immediately instead of timing out?
Thanks in advance!
-
UP.
-
Hi
so you have servers configured but you blocking all outbound connections?
i think this is expacted behaviour then
DNSCrypt can not connect to servers and logs "NOT_READY" (its not a DNS response type. its internal DNSCrypt status)
https://github.com/DNSCrypt/dnscrypt-proxy/commit/daa1f3d3b1df53c600b274face546a2b0e9fa59c
i dont think that DNSCrypt have a "cloaking-only" mode (to return NXDOMAIN for all requests except overrides)
-
Hi
so you have servers configured but you blocking all outbound connections?
i think this is expacted behaviour then
DNSCrypt can not connect to servers and logs "NOT_READY" (its not a DNS response type. its internal DNSCrypt status)
https://github.com/DNSCrypt/dnscrypt-proxy/commit/daa1f3d3b1df53c600b274face546a2b0e9fa59c
i dont think that DNSCrypt have a "cloaking-only" mode (to return NXDOMAIN for all requests except overrides)
I've tried to empty the servers list, but the DNSCrypt-Proxy won't run. I thought about connecting it to the Unbound DNS but I don't know if it will be supported in the DNSCrypt-Proxy. (The problem is that I have to use the DNSCrypt-Proxy and not other DNS services because I need to use it with API - and other services won't provide me such API).
-
A quick option that comes to mind is to add a *.* 127.0.0.1 record to the overrides. should work like a blacklist, but will answer with 127.0.0.1 instead of nxdomain for all addresses except for other specified overrides.
still not sure if i fully understood your purpose
-
A quick option that comes to mind is to add a *.* 127.0.0.1 record to the overrides. should work like a blacklist, but will answer with 127.0.0.1 instead of nxdomain for all addresses except for other specified overrides.
still not sure if i fully understood your purpose
I have a system that I built that should be connected to an opnsense router with an isolated network. The users need to be able to add to the router the DNS server IP for the network and some hosts overrides. This should happen using my system only (users shouldn’t have access to the router).
So the best option for me is the Unbound DNS, but the problem is that the Unbound DNS has no API. The only plugin that has API and can help me with this is the DNSCrypt-Proxy (at least for my knowledge, I haven’t found other useful plugins).
The 127.0.0.1 solution won’t help me because when you try to nslookup a domain, it will firstly try to search for the domain.local, and because the router will respond with 127.0.0.1 the machine will try to access the 127.0.0.1 ip address instead of searching for the domain (again this is for my knowledge maybe there is some other solutions that haven’t come to my mind).
-
Oh, agree, this is a problem if there is no way to disable this search list on clients. In this case, I do not see options for the case of DNSCrypt.
Speaking of API: It seems to me that for unbound API is available: https://docs.opnsense.org/development/api/core/unbound.html
-
Oh, agree, this is a problem if there is no way to disable this search list on clients. In this case, I do not see options for the case of DNSCrypt.
Speaking of API: It seems to me that for unbound API is available: https://docs.opnsense.org/development/api/core/unbound.html
Oh, I don’t know how I missed that. Thank you!