Hello OPNsense Forum!
I have a question: i found that the firewall host sends multiple DNS requests from its WAN address to different destinations (not just Google and Microsoft...but also, for example, IPs from russia that are hosted by "Misaka Network, Inc." - apparently an american company)...so why is this happening? DNS requests to 8.8.8.8 is understandable but the others?
They all pass my firewall rules because they are labeled as "let out anything from firewall host itself (force gw)".
Is this normal? Or does this mean there is malware on the firewall?
Regards,
David
Most likely those requests are done on behalf of LAN clients. You need to dig through your DNS logs to see which ones are making the requests. If you run a Pi-Hole you may have an easier time with your analysis.
Bart...
Thanks for the reply!
I also figured something out: once i (hopefully) correctly configured DNS servers and the Unbound service - all those DNS requests went finally to the assigned IPs!
Also interestingly: every time I updated and restarted the Unbound service, for a few moments the DNS requests went to other IPs again and then back to the assigned ones...seems like when my DNS isn't correctly configured the firewall uses all those random servers.
That's just how DNS works:
https://forum.opnsense.org/index.php?topic=22760.msg108462#msg108462
Ahh ok, that explains this behavior! Thanks for that! :D