OPNsense Forum

Hi,

I recently created a NAT rule redirecting all DNS lookups from clients on my network(s) to the opnsense box (unbound).
Seems to work fine. If I try to do a DNS lookup from one of my clients to a non existing DNS server I still get an answer (from unbound)

However, in the log, I still see unknown DNS lookups to servers I have not set in System: Settings: General:

WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:29809   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:27319   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:38033   64.4.48.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:5254   64.4.48.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:34242   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:33800   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:35915   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:59161   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:36519   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:54124   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:38769   13.107.160.201:53   udp   let out anything from firewall host itself (force gw)

I also see them when doing a packet capture on the WAN interface.

Anyone know why the firewall use DNS servers not specified by me?

BR/Nylund

Hi!

I looked up 2 of the these IP, apparently Microsoft trash. Do you have any Win10 on your network?

Yes, appears to be azure-dns lookups.
I have a win2016 server.

But any dns lookup from my clients should be redirected by the NAT rule.

Maybe check if your DNS Unbound is listening on the WAN interface as well.
Default is ALL interfaces
Reduce it to LAN

Thanks, yes it was set to all. I have changed that now but it still does a lot of ns lookups to different nameservers.
64.4.48.201:53
216.239.38.10:53
205.251.198.210:53
170.33.24.73:53
13.107.160.201:53
And so on... :(

Did you pcap the interface with the MS Win server to see if the requests come from this machine?

By default, unbound works as a recursive resolver. It will only use the DNS servers from System / Settings / General if you enable forwarding mode.

Cheers

Maurice

Quote from: Maurice on February 12, 2020, 02:40:14 PM
By default, unbound works as a recursive resolver. It will only use the DNS servers from System / Settings / General if you enable forwarding mode.

Cheers

Maurice

Ahhh thanks! :)
Found the setting to change to forwarding mode. Now it only resolve using my specified forwarders.

Nylund,

you made me curious und i did exactly the same as you now with the forwarders.
Had to google it what DNS the FW does contact.

But for now i went with 8.8.8.8 and 8,8.4.4. Which is fine.

btw: maybe take a look on DNSBL via unbound.
install the package via console "pkg install os-unbound-plus-devel "

then select the blocklists you want.
cheers A

If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

Quote from: miroco on February 12, 2020, 08:58:06 PM
If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

Hello Miroco,
thanks for the article. I did install the package for Unbound as i do not use DNSCrypt yet.
But will for sure take a look on the documentation you posted!

thank you!
armin

Sweet thanks for this @miroco I just set mine up similar to this as well and makes me much happier to see the encryption in progress.

Quote from: miroco on February 12, 2020, 08:58:06 PM
If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

Quote from: miroco on February 12, 2020, 08:58:06 PM
If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

Dear Miroco
i am struggeling with the config. Yes it is well explained i guess i have a misconfig on my system with unbound.

Used a port forward to route internal DNS traffic to 127.0.0.1 and set up the LAN FW rule to allow it.
Unbound i configured to use system tab forwarders (system - settings - general -> dns server pointing to WAN GW.

I removed them, disabled Unbound and activated dnscrypt.
Left the servers on the last position on default and did not specify any in server tab.
Also used the option Allow Privileged Ports and changed listener to 127.0.0.1.

BUT.. do not get any names resolved so far.
What did i miss?

Thank you very much.
armin

PDF attached shows the config page. And YES i had to disable it again.

ArminF did you tick the box that says Enable DNSCYRPT-Proxy at the very top?

Quote from: cguilford on February 13, 2020, 03:30:21 PM
ArminF did you tick the box that says Enable DNSCYRPT-Proxy at the very top?

Also did you fill out the Server list section at the bottom... IE I have Cloudflare and quad9-doh-ip4-filter-pri

Yes thanks
i did and tested but still have something missing or misconfigured on my system through using unbound.

Maybe the NAT but this does only route LAN traffic 53 to 127.0.0.1
The needed FW rule allows it.

I did setup unbound to be a forwarder using the DNS server in the System - General menue.
As soon i removed them, disabled unbound and activated DNSCrypt no resolution could be done.

And YES i setup some DoH and DNSCrypt on the servers tab and as far i understood if you leave the field blank it will use any of the "known" ones..

thanks

Looks like per - https://github.com/opnsense/docs/blob/master/source/manual/how-tos/dnscrypt-proxy.rst

You have to add your LAN ip to the listening port as well at the bottom of the page -----
Now change to Services->DNSCrypt-Proxy->Configuration and add your Local LAN IP address to the Listen Address field, e.g. 192.168.2.1:53.

Optionally you can set :53 to listen on all addresses like the default behaviour in Unbound.

Quote from: cguilford on February 13, 2020, 03:41:08 PM
Looks like per - https://github.com/opnsense/docs/blob/master/source/manual/how-tos/dnscrypt-proxy.rst

You have to add your LAN ip to the listening port as well at the bottom of the page -----
Now change to Services->DNSCrypt-Proxy->Configuration and add your Local LAN IP address to the Listen Address field, e.g. 192.168.2.1:53.

Optionally you can set :53 to listen on all addresses like the default behaviour in Unbound.

Thank you very much! Much appreciated!
Will try and report!

OK, one step further

- removed DNS forward settings in System - General
- disabled Unbound Service

- Set a few server in DNSCrypt Server tab (https://dnscrypt.info/public-servers/)
   here i copied the sdns stamps and pasted them
- Set listener to 127.0.0.1:53 and 192.168.1.1:53
- tried to start DNSCrypt service
---> failed did not start

Error is Log [
FATAL] Stamp error for the static [quad9-dnscrypt-ip4-filter-pri] definition: [illegal base64 data at input byte 4]

Removed all the servers and tried to start

--> WORKS !!

need to check deeper if copy and paste the sdns stamps somehow messed it up.

Thank you all for your support and help!


[NOTICE] dnscrypt-proxy is ready - live servers: 55   :)