I have set up a UBound DNS Override as follows:
host: *
domain: backyard.com
type: A
value: 192.168.1.193
description: backyard weather station
The purpose of which is to allow my family to browse to www.backyard.com to see the temperature and humidity in our backyard based on a small IoT weather station I built.
The address resolved fine for me on my W10 machine for about half an hour, but then suddenly started resolving to the real backyard.com. At the same time, on my cell, it resolves to the 192.168.1.193 address as expected. Now, at the time just before I am going to post this post, on my Windows machine it is not resolving to anything - "This site can't be reached". However, the 192.168.1.193 address continues to work fine when typed into the address bar of the browser on the same machine.
I tried to restart the service on the OPNSense box, I also tried running "ipconfig /flushdns" from from a cmd prompt on the windows machine using admin privileges, and also tried rebooting the Windows machine. None of these helped.
EDIT: I went into Chrome and cleared the cached images and files, after that it resolved to 192.168.1.193. However, an hour later, it was back to resolving to the real backyard.com
EDIT: Firefox was showing the same behaviors as Chrome; however somehow I got FireFox to work for now - resolving correctly. Edge is resolving correctly. Chrome is not. I thought it might be the fact that it is a HTTP site not a HTTPS site, there is a default setting in Chrome to block unsecured sites, but even with it off Chrome does not resolve correctly.
EDIT: ok so I gave up on the Host approach, and tried the Domain Override, but its not working either.
I tried
backyard.com and www.backyard.com both pointing to 192.168.1.193
I also tried changing the interface to LAN, WAN, and both LAN and WAN.
Just no love.
Am I missing something?
Bump
Still not getting this work - even tried a different domain name.
Here's the screenshot:
https://ibb.co/XDj970Y
and again, Unbound is enabled and running.
Any insights would be helpful.
A domain override tells Unbound to forward the request to the nameserver at the configured address.
You need to use host overrides. They have always worked for me, but I never used wildacrds ('*'). You could try with a regular name, first.
Quote from: RobLatour on March 17, 2021, 02:17:18 PM
Bump
Still not getting this work - even tried a different domain name.
Here's the screenshot:
https://ibb.co/XDj970Y
and again, Unbound is enabled and running.
Any insights would be helpful.
What browser are you using? Firefox enables Secure DNS by default now which will bypass your DNS server entirely.
Have you blocked all DNS except the OPNsense? Otherwise some clients may bypass your unbound. In the future port 853 and normal HTTPS (DNS-overHTTPS) will be problematic, too...
Quote from: SFC on March 17, 2021, 02:48:49 PM
Quote from: RobLatour on March 17, 2021, 02:17:18 PM
Bump
Still not getting this work - even tried a different domain name.
Here's the screenshot:
https://ibb.co/XDj970Y
and again, Unbound is enabled and running.
Any insights would be helpful.
What browser are you using? Firefox enables Secure DNS by default now which will bypass your DNS server entirely.
"On February 25, 2020, Firefox started enabling DNS over HTTPS for all US-based users, relying on Cloudflare's resolver" (source: https://en.wikipedia.org/wiki/DNS_over_HTTPS),
but he is using Chrome...
You disable the DNS-over -HTTPS in about:config by setting
network.trr.modeto "5"
or something along this line for Win10
https://www.reddit.com/r/sysadmin/comments/dbs1ew/canary_domain_to_disable_firefoxchrome_doh/
PS: The domain override has to be pinting to a DNS server, not the host IP.
I just set up an override in Unbound, works after pressing "Apply"...
Quote from: chemlud on March 17, 2021, 03:32:06 PM
PS: The domain override has to be pinting to a DNS server, not the host IP.
I just set up an override in Unbound, works after pressing "Apply"...
That's pretty much exactly what I wrote ;)
Quote from: pmhausen on March 17, 2021, 03:38:41 PM
Quote from: chemlud on March 17, 2021, 03:32:06 PM
PS: The domain override has to be pinting to a DNS server, not the host IP.
I just set up an override in Unbound, works after pressing "Apply"...
That's pretty much exactly what I wrote ;)
Maybe he will understand one of us... ;-)
Thanks for your comments, but still I must be missing something as its still not working.
Here is what the override screen looks like:
https://ibb.co/nzTm1pZ
Also, yes, I am using Chrome but have testing with Firefox and Edge as well - same results - resolution is to the real weather.com not my identified IP address.
PC is set up to obtain dns results automatically.
I've tried clearing the cashes in chrome and on the pc ( ipconfig /flushdns ) as administrator.
So, after making the changes above the wife and I watched a show on Netflix. i came back to my computer, and it was suddenly working. Go figure.
Hope it stays that way.
Thanks for your help!
Is your computer a Mac? Macs cache DNS entries on the client. Don't know about Windows, but I suspect they do similarly.
Important part: ONLY DNSserver has to be your unbound (Block on your LAN port 53 TCP/UDP except to your OPNsense). If clients can bypass the OPNsense unbound, it will never work reliably.
@pmhausen I have been testing with a Windows machine, although we do have iPhones and IPads in the house
@chemlud, thank you.
Although I'm sure it's a very basic question, and sorry to trouble you with it, but how do I do that?
Is it a set of firewall rules for the LAN or WAN or both, also (I assume) for both IPv4 and IPv6?
How do identify OPNSense in my firewall rules, is it by the IP address of the machine OPNSense is running on?
Is there a link someplace that explains all this, I've been trying to piece it all together - but I suspect haven't dealt with what you are suggesting yet - but need to.
Hi!
You should NOT have a "allow any any" rule on LAN. Allow single ports, such as HTTP, HTTPS, SMTPs, IMAPs and whatever you need else on LAN (choose TCP/UDP, depending on the port/your needs).
Then you have one rule (for ipv4, I only use ipv4, if you use ipv6 add an additional one for ipv6) on LAN, nothing else. See attachment.
If you want to keep the "allow any any" you place on TOP of your LAN rules a "BLOCK UDP/TCP !LAN address" (the "!" is "invert", so the rule will block anything on port 53 TCP/UDP EXCEPT to your firewall ("LAN address")....
chemlud
thank you very much for this, it was very helpful - especially the image file which you provided.
I've set this up according to your advice and it appears to be working fine.
I really do appreciate the help and advice from you and pmhausen!
Quote from: chemlud on March 18, 2021, 02:23:28 PM
If you want to keep the "allow any any" you place on TOP of your LAN rules a "BLOCK UDP/TCP !LAN address" (the "!" is "invert", so the rule will block anything on port 53 TCP/UDP EXCEPT to your firewall ("LAN address")....
An (IMHO) better alternative to blocking outgoing DNS queries is to redirect them to your firewall's recursive nameserver.
NAT - Port Forward
Interface: LAN
Source: any
Destination: any
TCP/UDP
Destination Port: DNS
Redirect Target IP: 127.0.0.1
pmhausen: thank you, I may give that a try as I've noticed that since making the other changes it does take some additional time to resolve some addresses - may be a coincidence, but I would like to try this to see if it helps.
One question, would I not identify the source port range as DNS as well?
Quote from: RobLatour on March 20, 2021, 01:10:44 PM
pmhausen: thank you, I may give that a try as I've noticed that since making the other changes it does take some additional time to resolve some addresses - may be a coincidence, but I would like to try this to see if it helps.
One question, would I not identify the source port range as DNS as well?
Nope, source port is usually random. Only target port is usable...
pmhausen: I have much to learn, thank you :-) . Changes applied.