I am using OPNsense as a transparent filtering bridge behind another router.
So OPNsense is not directly exposed to the Internet, but is used as bridge for two internal networks.
I have also Suricata installed which is running in promiscuous mode and giving me alarms for 53 DNS requests coming directly from the OPNsense box. I have also a secondary monitoring system in place and the DNS requests are not coming from any device from the network as I am logging those requests as well.
In Suricata the alarm log shows the interface tab is also blank - which means the DNS requests are directly coming from the OPNsense box itself (and the DNS lookups are not coming from any connected interface)?
In addition I have unchecked unbound and normally only the DNS server from my ISP should be used. I wonder why OPNsense is trying to contact those various servers on port 53 (according to tracert and whois information some servers are US government and military sites, etc.)?
So my questions is why is OPNsense generating those requests via port 53 by itself?
How can I configure OPNsense to stick to specific DNS servers only?
Something is really strange here?
Any advice is appreciated.
Show a list of the IPs contacted. Root servers for DNS?
Which device does the DNS in your network, the "other router" or OPNsense? When unbound is "unchecked", which DNS servers are entered in General setup? Or allowed to use servers provied by ISP?
Hello chemlud,
Thank you for your response...
Some examples of the contacted servers by OPNsense:
198.97.190.53 53 ET INFO Observed DNS Query to .biz TLD
192.5.5.241 53 ET INFO Observed DNS Query to .biz TLD
192.33.4.12 53 ET INFO Observed DNS Query to .biz TLD
192.203.230.10 53 ET INFO Observed DNS Query to .biz TLD
I have configured OPNsense to receive an internal DHCP address from my main router which also serves as the local DNS server. So OPNsense (the configured network interface of OPNsense) is getting an internal IP address and the DNS server information (which is the main router) via the DHCP request.
The main router is configured to get it's DNS information (external DNS servers) from the ISP (Telekom).
Under System->General->Network I have not configured any DNS servers. Overwrite DNS server list via DHCP is checked. Do not use the local DNS service as a nameserver for this system is not checked (maybe this should be checked, but as I am not using Unbound nor DynamicDNS nor OpenDNS, etc. is this important to check?)
I would expect that OPNsense only contact the main router for DNS queries, but not reach out to the (root) servers above.
The servers I listed are just some examples, there are many more connection requests to much more (root) servers via port 53?
Quote from: byteXpression on January 01, 2021, 12:20:35 PM
198.97.190.53 = h.root-servers.net
192.5.5.241 = f.root-servers.net
192.33.4.12 = c.root-servers.net
192.203.230.10 = e.root-servers.net
Quote
I have configured OPNsense to receive an internal DHCP address from my main router which also serves as the local DNS server. So OPNsense (the configured network interface of OPNsense) is getting an internal IP address and the DNS server information (which is the main router) via the DHCP request.
The main router is configured to get it's DNS information (external DNS servers) from the ISP (Telekom).
Under System->General->Network I have not configured any DNS servers. Overwrite DNS server list via DHCP is checked. Do not use the local DNS service as a nameserver for this system is not checked (maybe this should be checked, but as I am not using Unbound nor DynamicDNS nor OpenDNS, etc. is this important to check?)
Yes, this is what's happening here. You have no configured Unbound for your clients, but OPNsense is using the root servers. Read about "recursive resolver"...
Hello chemlud,
Thanks for the fast clarification.
All the best,
byteXpression