OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: hilfubsi on November 13, 2020, 11:17:52 am

Title: I tried to block all but approved DNS servers. It didn't do anything.
Post by: hilfubsi on November 13, 2020, 11:17:52 am: I'm trying to block all DNS queries, and only allow queries to the opnsense firewall's DNS or nextdns.io's DNS.

Attached is my config.

I try to enable or disable logging for these two rules and run `dig @1.1.1.1 example.com` but it never ever shows anything in the log (either in the web UI, or using option 10 on the serial/ssh console to opnsense) and it gets a response for any domain name I try. I would expect dig to timeout instead, and the firewall logs to show the packets were caught by the rule.

What's going on? How do I block ALL DNS queries and only allow devices inside my network to query OPNsense's internal DNS or nextdns'?
Title: Re: I tried to block all but approved DNS servers. It didn't do anything.
Post by: Gauss23 on November 13, 2020, 11:22:11 am: In the first line you have a "any/any" rule that allows just everything. Your other rules are not inspected at all.
Title: Re: I tried to block all but approved DNS servers. It didn't do anything.
Post by: hilfubsi on November 13, 2020, 11:27:01 am: Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?
Title: Re: I tried to block all but approved DNS servers. It didn't do anything.
Post by: hilfubsi on November 13, 2020, 11:30:37 am: And also, what do I need to add so that devices with a hardcoded DNS that isn't one of the allowed ones get forwarded to the firewall instead?
Title: Re: I tried to block all but approved DNS servers. It didn't do anything.
Post by: Gauss23 on November 13, 2020, 11:31:18 am: Quote from: hilfubsi on November 13, 2020, 11:27:01 am
Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?

This rule is enabled by default. It should be removed and you should create your own ruleset. When you remove it, you'll still be able to access the GUI but your internet access will be blocked. So you should add the most important rules (destination ports 80 and 443 for example).

And you don't need any block rules (apart from some scenarios). If traffic is not allowed it will be blocked automatically.
Title: Re: I tried to block all but approved DNS servers. It didn't do anything.
Post by: Gauss23 on November 13, 2020, 11:32:32 am: Quote from: hilfubsi on November 13, 2020, 11:30:37 am
And also, what do I need to add so that devices with a hardcoded DNS that isn't one of the allowed ones get forwarded to the firewall instead?

https://forum.opnsense.org/index.php?topic=9245.0
Title: Re: I tried to block all but approved DNS servers. It didn't do anything.
Post by: hilfubsi on November 13, 2020, 11:33:58 am: Quote from: Gauss23 on November 13, 2020, 11:31:18 am
Quote from: hilfubsi on November 13, 2020, 11:27:01 am
Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?

This rule is enabled by default. It should be removed and you should create your own ruleset. When you remove it, you'll still be able to access the GUI but your internet access will be blocked. So you should add the most important rules (destination ports 80 and 443 for example).

And you don't need any block rules (apart from some scenarios). If traffic is not allowed it will be blocked automatically.

I'm worried this would break a lot of things on my network, like consoles and other things that need uPnP to work.