OPNsense Forum

English Forums => General Discussion => Topic started by: MarekWojtaszek on May 08, 2023, 04:35:27 pm

Title: Block list alias on internal web server
Post by: MarekWojtaszek on May 08, 2023, 04:35:27 pm

I created my own block list txt file and I put it on my web server hosted on my internal network (behind the NAT, but facing the internet). Then I created an alias entry in OPNsense where I entered the url to the txt file:

(https://i.imgur.com/hlMfBwB.png)

After saving it does not load any entries as you can see on the screenshot below:

(https://i.imgur.com/mTf5LLk.png)

even though there are several hundreds on the list:

(https://i.imgur.com/IeS9usJ.png)

The log shows that it was caused by a name resolve error:

(https://i.imgur.com/15zcV92.png)

When I ssh to opnsense and try to ping the host name it is indeed unable to resolve the name. It resolve it to the public IP not the internal private IP:

(https://i.imgur.com/BftYJXX.png)

So my question is now: how to make OPNsense to resolve the name of the host to private IP/internal email address?
I tried to add it to the /etc/hosts name on OPNsense. It helps in terms of pinging the host from SSH, but the IP list is still not loaded in the alias entry...
I also tried to play with NAT reflection settings but honestly I do not feel comfortable with it yet...

Any idea how to fix that?

Marek

Title: Re: Block list alias on internal web server
Post by: sphbecker on May 08, 2023, 10:34:12 pm

That service should use the DNS configuration defined in System --> Settings --> General.
If you want to ensure the firewall resolves addresses the same way your internal clients do, then uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN" and clear any public DNS servers listed there.

If using a resolver service like Dnsmasq DNS or Unbound DNS, make sure to configure upstream public DNS servers there instead, as those services were probably formerly getting that information from general settings.

If using another local host for DNS, then make sure you specify that host's IP in the General settings page (127.0.0.1 is assumed if nothing is provided).

EDIT: The OPNsense implementation of Dnsmasq doesn't seem to allow you to manually configure DNS forwarder addresses. I switched to Unbound DNS for that exact reason.