Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Srixun on March 31, 2024, 05:45:17 PM

Title: DNS Resolution Percentage is low
Post by: Srixun on March 31, 2024, 05:45:17 PM
Hey guys.

Prime issue is that my DNS resolution percentage is around ~60%.

I've setup a rule on my LAN/DMZ to forward to the OPNSense, As well as some devices being manually configured but I would like to "force" the local DNS Server(OPNSense) if that makes sense.

I followed this guide, to little avail. - https://forum.opnsense.org/index.php?topic=9245.0

Any help? or suggestions? (Attachments are for the rules.)

Title: Re: DNS Resolution Percentage is low
Post by: Seimus on March 31, 2024, 06:57:14 PM
Why do it over redirect? Why not put into DHCP server the DNS and announce it that way?

Also what devices you have on the network?

I would say its better to annouce the DNS over DHCP and block any external DNS server using a rule.

Regards,
S.
Title: Re: DNS Resolution Percentage is low
Post by: Srixun on March 31, 2024, 07:00:56 PM
It is in the settings and DHCP to do that. Alongside of my other switches its manually configured.

Its devices such as an ESXI server in a DMZ for game hosting.

Servers on the internal network, running everything from my tools for work, to nerdy sandboxes, Homeassistant, some TV's. nvidia shield, home irrigation, etc.

OPNsense is running on a baremetal box as well.
Intel(R) Xeon(R) D-2123IT
32GB of Ram
128GB SSD.
Title: Re: DNS Resolution Percentage is low
Post by: Seimus on March 31, 2024, 07:04:47 PM
So if you announce it via DHCP there is not point of redirecting it.

Just block external DNS server.

This needs to be done because some devices such as TVs, IoT etc. which you dont have full control will use local DNS announced in DHCP only as failsafe if they can not reach their pre-configured DNS server such as google.

Do a block rule with reverse destination point to Private subnets.

Regards,
S.
Title: Re: DNS Resolution Percentage is low
Post by: Srixun on March 31, 2024, 07:08:53 PM
I can try that, do you have an example of that rule?
Title: Re: DNS Resolution Percentage is low
Post by: Seimus on March 31, 2024, 07:23:36 PM
Sure,

1. Create a network Alias named it as you like and put in following subnets this will be your invert destination target:

Code Select
Private_Subnets 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

2. Create a port Alias to cover DNS as well DoT:
Code Select
DNS_Port 53,853

3. Create a Rule under each interface you want to prevent external DNS leaking or Group the Interfaces into  a FW Group and apply the rule there:

Protocol: IPv4*
Source: Any (or your per Interface or FW group)
Source port: Any
Destination / Invert: check this box (Use this option to invert the sense of the match. )
Destination: Private_Subnets
Destination port range: DNS_Port

Put the rule on the top of the list, and purge your state table.
Dont forget to set proper Invert and ports, otherwise you can cut yourself

The output should look int the table like this >

Code Select
Block -> IPv4* * * ! Private_Subnets  DNS_Port * * Block-External-DNS-Access

Regards,
S.
Title: Re: DNS Resolution Percentage is low
Post by: Srixun on March 31, 2024, 07:36:27 PM
Appreciate it, will try this here sometime today and get back to you :)  thank you!
Text only | Text with Images