OPNsense Forum
English Forums => General Discussion => Topic started by: mayo on November 08, 2018, 01:34:41 pm
-
I everybody,
I would like to configure my opnsense as internal dns server for home network.
I don't want to make mistakes, so may I ask how is the best way to configure Unbound and Bind to act (also) as an ad-block? I'm not sure how to route all traffic on lan to ask only opnsense for DNS...
Any advice is well accepted!
-
Hi,
in my scenario I have configured OPNsense to use Unbound and to forward my requests to external servers (you can configure it as you wish). This is beneficial first as you can cache clients requests and save up a little bit of bandwidth and dropping down responses time (unnoticeable). But you have to enable Unbound to accomplish this;
My technique is to provide a list of ads sites URLs to Unbound and configure it to refuse DNS resolutions for all of them. So far it seemed to work very well and it catches most of ads around webpages.
You can download the config file with the list that I have collected on internet here: https://tofanos.com/gabri/media/ad-blacklist.conf (https://tofanos.com/gabri/media/ad-blacklist.conf).
Here the steps to enable the configuration:
1) Enable SSH access to the firewall by checking System -> Settings -> Administration -> Enable Secure Shell
2) Secure copy the file in /var/unbound
3) Add “include: /var/unbound/ad-blacklist.conf” into Services -> Unbound DNS -> General -> Custom options
4) Save and apply changes
3) Disable SSH access by un-checking System -> Settings -> Administration -> Enable Secure Shell
Your clients has to use your firewall LAN address now in order to use this feature.
You can test the new config by trying to resolve from a client in your network one of the URLs listed in the file. Let’s use “adservices.google.com”:
- On a laptop open the terminal and execute nslookup adservices.google.com
You should receive the following response: server can’t find adservices.google.com: REFUSED
Now you can notice many “empty slots” in websites that you are viewing since all the ads are being blocked.
Hope this help you out!
-
Thank you!
no need of Bind?
-
Or with Bind:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
-
Thank you mimugmail, I followed your how-to, but I have a question: I made a firewall rule for all the clients for port 53 before this configuration (similar to the one on the link for port 535350) for DNS request. Do I have to disable it?
-
Do you use Unbound as primary resolver or just NAT to localhost/53530?
-
Unbound as primary resolver (default config).
-
Then you don't need a firewall rule.
Just add an ACL in BIND for 127.0.0.0/8 and put it in Recursion.
Then in Unbound do the forward via Advanced option like in the howto.
-
thank you so much!
Do I have to delete rule for DNS on port 53 only or also for 53530 like described in the link (I have now two rules)?
For the ACL right now I filled in with my lan address, I will delete it and put 127.0.0.0/8 .
Sorry but I'm quite new in firewalling :)
-
You can remove Firewall rules as DNS is always allowed when using Unbound
-
Then you don't need a firewall rule.
Just add an ACL in BIND for 127.0.0.0/8 and put it in Recursion.
Then in Unbound do the forward via Advanced option like in the howto.
Tried to put 127.0.0/8 in ACL but bind plugin doesn't start.
-
Is the listen port already in use?
What about logs?
-
For listen I have the defaults: IP 127.0.0.1 on port 53530
no logs for Bind: File /var/log/named/named.log doesn't exist.
-
Can you reinstall the plugin? Also please check system.log
-
I've solved adding my lan /24 in the ACL. Also in ACL I have 127.0.0.0/8. Is it right?
(thank you for following me in the configuration ;))
UPDATE: Bind started but there aren’t query logs for service
UPDATE 2: Firewall Rule created, Bind has start to log queries.
-
After configured Bind, my network devices are not resolved as .myhome but .local. Any idea?
-
This recipe is described here https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/ (https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/) doesn't seem to work without firewall rules, which basically eliminate unbound altogether. Just like mayo, I wasn't able to get it to work with unbound 'forward-addr'. Not sure what the issue is, and the unbound log just says that the UDP query to 127.0.0.1:53530 timed out with no signs of DNS queries on the BIND side. Would really appreciate it if some gurus could shed some light as to what might be happening here.
Update: I tried to do unbound forwarding to a pi-hole instance I have running on my LAN, and forwarding didn't work either. There might be something crucial we're missing in unbound configuration, just have to figure out what that is.
-
Outbound interface localhost?
-
Outbound interface localhost?
Nailed it! Thanks.
-
Hi mimino, could you please describe your configuration (I'll use Unbound with default config with Bind)? I'm tring to configure it from scratch and I don't want to make some mistakes...
Thank you so much!
-
Hi mimino, could you please describe your configuration (I'll use Unbound with default config with Bind)? I'm tring to configure it from scratch and I don't want to make some mistakes...
Thank you so much!
Just follow the instructions from: https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/ and don't forget to set Outbound interface to localhost in the unbound settings. That is all.
-
All:
Trying to configure the BIND plugin. I have read several post and
Followed this Guide https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
It seems to work but I have some questions..
I also read this https://wiki.opnsense.org/manual/how-tos/bind.html
My goal is to have everything filtered and blocked. Use Unbound with forwarding. No firewall rules. Not sure which guide to use?
What I have before Changing anything.
Systems settings general DNS server set to external dns aka 1.1.1.1, 8.8.8.8
Unbound DNS General
enable resolver
Network Interface ALL
Local Zone Transparent
Enable Forward
dhcp registrations and static mapping
No custom entries
Outgoing Network Interfaces ALL
Dhcpv4
no DNS server set forwarding Router IP as dns to clients
Questions:
This Guide https://wiki.opnsense.org/manual/how-tos/bind.html
Doesn't have a firewall rule. It only has the Custom section.
Should I use this guide? Does this work directly with Unbound and my above setup?
I ask because when read posts I found this.
https://forum.opnsense.org/index.php?topic=10180.msg46878#msg46878
But that didnt seem to work for Mayo or Mimino
Northguy said use mimugmails guide and set localhost outgoing. But that guide includes a firewall rule.
Still a bit confused..
Also do I need to change any of my config above?
-
System DNS empty and Unbound outgoing Interface to localhost should be fine
-
ok so this guide
https://wiki.opnsense.org/manual/how-tos/bind.html or in general your guide with out firewall rule.
Set unbound
custom to
do-not-query-localhost: no
forward-zone:
name: „.“
forward-addr: 127.0.0.1@53530
outgoing to local
and only change
Systems settings general DNS server set to Blank
Ok here we go...
-
Bind needs acl for localhost network. Then start looking at both logs
-
All:
I sorted it. The documentation here https://wiki.opnsense.org/manual/how-tos/bind.html
and
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
Has a TYPO..
do-not-query-localhost: no
forward-zone:
name: „.“ <------------ Should be "."
forward-addr: 127.0.0.1@53530
If you copy and paste the above into the Custom section in Unboud.
It creates this in unbound.conf
# Unbound custom options
do-not-query-localhost: no
forward-zone:
name: �^`^~.�^`^| <----------------Bad characters
forward-addr: 127.0.0.1@53530
Please use the below and retest.
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530
Also Opnsense and Mimugmail please update the syntax in the Documentation.
-
Have tried setting this up, but am getting SERVFAIL when querying unbound DNS service. I think the problem is related to:
do-not-query-localhost
I added it to the custom config, but unbound would not reload, error:
opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '/var/unbound/unbound.conf:106: error: syntax error read /var/unbound/unbound.conf failed
Line 106 was: do-not-query-localhost: no
Ran: unbound-checkconf /var/unbound/unbound.conf
/var/unbound/unbound.conf:106: error: syntax error
read /var/unbound/unbound.conf failed: 1 errors in configuration file
Removed this line, and unbound started fine, but would not resolve queries, returned SERVFAIL (assume as it's not allowing lookups to localhost).
Looking at other forums, it's mentioned a few times that 'do-not-query-localhost' needs to be set in the server: section of the conf file.
In this case, it's set outside this, but if others have had it working successfully I'm wondering why it's an issue for me !
Running: OPNsense 18.7.10_3
Thanks.
-
Have tried setting this up, but am getting SERVFAIL when querying unbound DNS service. I think the problem is related to: do-not-query-localhost
I added it to the custom config, but unbound would not reload, error:
opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '/var/unbound/unbound.conf:106: error: syntax error read /var/unbound/unbound.conf failed
Line 106 was: do-not-query-localhost: no
in the custom section in unbound advanced
you need the entire section
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530
Which Guide did you follow? Guides are not very thorough.
-
you need the entire section
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530
Which Guide did you follow? Guides are not very thorough.
Sorry, it wasn't clear in my post, but I did indeed have the complete config in the custom section:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530
Then got the Unbound startup error as it didn't like "do-not-query-localhost: no". Having removed just that one line, Unbound did start okay, but would not resolve (returned SERVFAIL) - assuming because it now can't use localhost to resolve.
Which Guide did you follow? Guides are not very thorough.
I just used the ones mentioned in this thread:
https://wiki.opnsense.org/manual/how-tos/bind.html
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
Plus the tip on this thread to configure Unbound with Outbound interface: localhost.
The guides seem pretty straight forward - I just don't understand why I seem to be the only one getting an error when using "do-not-query-localhost: no" !!
-
opnsense: /services_unbound.php: The command '/usr/local/sbin/unbound -c '/var/unbound/unbound.conf'' returned exit code '1', the output was '/var/unbound/unbound.conf:106: error: syntax error read /var/unbound/unbound.conf failed
Line 106 was: do-not-query-localhost: no
Okay ... I found the cause of my issue and "fixed" it. Unbound would not start with the custom options config in place as I also had a 'Domain Override' in place - for a sub-domain I use for testing locally.
Once I removed the Domain Override, Unbound started fine and forwarding to BIND localhost worked.
Assume it's something in the config order that Unbound does not like, as the domain override sticks a couple of lines in unbound.conf before custom options.
How can I report this as a bug ?
-
Here:
https://github.com/opnsense/core/issues
But it's more a feature request then a bug.
-
Throughout this thread, I kept reading "set Outbound interface to localhost in the unbound settings" and I want to make sure I'm understanding everyone. I've attached what my Unbound DNS -> General page looks like. Are you talking about the 2nd to last setting "Outgoing Network Interfaces" (which is set to "All (recommended)") being set to "LAN" instead?
Thanks.
-
I followed the instructions at https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin, and am successfully blocking ads for my LAN. However, local DNS DHCP registration no longer works for the local network. For example:
~> nslookup brother.localdomain
Server: 192.168.1.1
Address: 192.168.1.1#53
** server can't find brother.localdomain: NXDOMAIN
If I disable the port forward to BIND (Firewall -> NAT -> Port Forward), then local DNS works fine:
~> nslookup brother.localdomain
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: brother.localdomain
Address: 192.168.1.7
How can I configure OPNSense to use both BIND DNSBL and local DNS DHCP registration?