Anyone know a way to hold your preferences in opnsense
Probably the way I have something set
Using unbound I entered google 8.8.8.8 as DNS, it works a couple times then gets over ridden
Same with the NTP servers would not stay on opnsense servers
Any way to beef up the security of those, thanks
I appreciate not everyone's first language is English but your posts are hard to understand. Please see if you can observe the rules of grammar.
Now then for your questions.
> Anyone know a way to hold your preferences in opnsense
If you are not running on a live usb session i.e. OPN is actually installed, all changed via the UI persist reboots.
> Using unbound I entered google 8.8.8.8 as DNS, it works a couple times then gets over ridden
where is 8.8.8.8 entered?
where does it get overridden ?
> Any way to beef up the security of those, thanks
what makes you think these settings are insecure ?
My DNS is constantly Hijacked
I have tried many settings in both opnsense and browser
Firefox browser also tries to control DNS
I have tried turning those off
I so far know of know way to set DNS settings and have them applied on a consistent basis
Hijacking and zone transfers, I cannot set a DNS server no matter what I enter so far
I monitor packets and IPs
Yes the NTP is getting overidden by the OS NTP servers
And then those also get hijacked due to the DNS getting hijacked
Depending on the day I am attacked every 5 to 15 seconds
Just wondering if anyone knew how to control your DNS and get it to keep what you set
This is an area I havnt had much success with yet
My ISP router was destroyed due to the hijacking MITM
Thanks
What exactly do you mean by "DNS getting hijacked"? I have no problem even remotely connected to that term.
I block port 53 and 853 outbound. I give all client systems the local OPNsense as their DNS server via DHCP. I also use a DoH blocklist in Adguard Home.
Case closed. There is no way a system in my network uses any DNS server but my local OPNsense.
I also do not get what you're talking about.
For DNS on the OPNsense: System - Settings - General: Allow DNS server list to be overridden by DHCP/PPP on WAN (UNCHECK)
For NTP and DNS on other interfaces: Allow DNS & NTP to the Interface which belongs to the Subnet and block everything else.
"My ISP router was destroyed due to the hijacking MITM"
Wondering how a ISP router should be destroyed though. Either way its compromised or not. But destroyed?
If you dont know how an ISP router gets destroyed or Hijacked there are plenty of security sites to help
Maybe you didnt see the latest on social media about thousands of home routers attacikng cloudflare
because their firmware was rewritten, you can watch Utube videos on how to get into home routers
They changed the cert in mine once, it now sits on a desk because its firmware was rewritten permanently,
wants to go to TLD DNS, well known in the security world as a bad guy, couple of suricata rules
on that but at the time my rules were not working
NTP I can shut off so I dont get a jacked server site, that could be due to hijacked DNS first
I also have attacks on NTP itself trying to get a connection trying to mimic a NTP server
Then about DNS, this is what I am saying
I havnt found any way, and I have tried and researched, to stop opnsense from getting hijacked
The browser has no problem hijacking opnsense, To use firefox DNS, I have learned to turn it off
Then the OS has no problem asking for its own DNS
Just wondering if anyone else with ongoing attacks have found a method to secure DNS
I am attacked every 5 seconds, I am on fiber maybe thats why they target us,
Bot nets mostly, the global security community knows all about them, two in the US
Thats why you have bot net block lists in your suricata rulesets
Thanks everyone
And yes I know there is nothing we have that is secure, I would just like to control it
a little better than they do
One other thing is ... Do not attack these bot IPs
Yes they could be a bot server or
They could be a router on a grandmothers desk that has been compromised
Do not cause Grandma any suffering, please
And thanks everyone, all suggestions are welcome, may be something I havnt tried yet
I will keep working on it, have to
Its the only way I can get on the internet
First 6 months of this year I couldnt get on the net more than 15 seconds without getting shutdown or a virus, really
Till opnsense helped me, a regular home router doesnt stand a chance here
Thank you Mr Hausen
I will try closing 53 outbound but I only have 443 and 53 open on the wan
Sounds like good security
the client gets DNS from opnsense, but its opnsense that gets hijacked
Its opnsense that sends a DNS lookup
By hijacked I can see the IPs of the request and replies
And it changes from what my settings are, or what I put in conf file
then it will change again and again, like something shadow.com
or TLD.com(bad guy)
I do not have overide DNS checked
I try to set to 8.8.8.8,8.8.4.4 and it worked for maybe 15 minutes
maybe I changed settings to fast, maybe I need to reboot more
thanks again
Thank you fast boot
Its DNS on the wan
I will check to see if there is a way to tighten security on DNS
Thanks cookiemonster
I have opnsense on hard drive, but it doesnt pay attention to the DNS settings
Could be compromised, worked for a short while
I watch the IPs and read the packets, my DNS setting 8.8.8.8 is no where to be found
I found one culprit was firefox overiding opnsense,turned off its DNS and opnsense worked for a little while
Its doing it again, I will have to research who the DNS server is because inarpa has nothing on it
I will see if its on the same one(sticks to one server) or random again
dig command just gives me a list of the root servers, it rarely ever uses one
thanks
Discovered I am getting a DNS attack, called DNS something .. forgot
Its on utube
But a single request results in a hundred DNS servers queried
which I saw after my last post and I started monitoring packets
Changing DNS settings and trying quad9
Using DNS over TLS
I set up the IPs 9.9.9.9 and hostname dns.quad9.net and port 853
will test this and see if it gets better
thanks everyone
DNS (as well as NTP) is blocked by default on WAN. Show your WAN rules, please.
Update
Disregard, I discovered my opnsense router and OS were compromised,
took two days to remove the viruses, UDs, and malware
I reload my OS daily
I ran opnsense without reloading for about 60 days before it was obviously destroyed
Thats a huge milestone in my environment
Some day I hope I can learn enough security to get that far again and still keep running
I will go back to reloading opnsense every two weeks, have to
DNS is working and so is NTP
I dont know how to deploy quad9 yet
I have 8.8.8.8, 8.8.4.4,9.9.9.9 in the system DNS settings
I deployed the DNS over TLS and query forwarding for quad9 on port 853
It uses the system DNS servers on port 53 instead of quad9
I will try taking the system DNS servers out and look again
Thanks everyone
I ignored some signs system was compromised, wont do that again
A current default installation of OPNsense cannot be compromised from outside.
All of your posts are no facts and lots of speculation. My firewalls run for years with regular updates but without fresh installation every couple of weeks. Reinstalling everything regularly is cargo cult.
Unless you come up with some facts - firewall rules, packet traces, configuration details, ... I'm out of this conversation.
You must be trolling.
We like opnsense, opnsense works, its good, really good
We work to make it better and keep up with the security world
Thanks contributers, testers, newbies and problem solvers
Couple things
Nothing new concrete to implement yet
Next I ask questions about what I see
The community gives me answers or suggestions
Sometimes right sometimes wrong, Wrong is also ok
Sometimes it gives me ideas and problems are worked out with persistence
Sometimes right, dont always have to be right, help is appreciated
I post what I see so if anyone else comes across it
hopefully there is an answer after some time and follow the post
I will post my corrections or fixes or causes of problems
All questions are welcome, yes I am wrong sometimes
Hopefully posts will point in the right direction or give ideas
Just like I follow others posts about similar problems I have
I have pcaps, what would anyone want to see
yes they are https and encrypted bodies but can see the headers
If anyone wants to see what a bot looks like
or just plain hacking, let me know
Can talk about attacks in the IPS section of forum
100's of thousands of them
Ive learned a lot in the last week
pesently running firewall with only 443 and 53 open, besides defaults
thanks quad9 is doing ok on 53 so far
will try to go to port 853 later
thanks everyone
Firewall rules
443 IN tcp
53 In udp
Thats it
I am constantly hit on port 0, anyone know how to block it, unless its stateful, I havnt seen a way
Of course also ports 80,8081, 22, 23, and server ports, 123 and its not NTP and some others
Hit with constant syn, acks, rst, syn ack, etc with high starting sequence numbers that I think
stateful firewall would block but suricata catches them first from blocklists, 25 percent
of my blocklist from varied sources, and my custom blocklist catch 75 percent
But not all and they are auto IPs spoofed
thanks
443 In tcp
53 in udp
thats it
thanks
Remove these, they are dangerous and not necessary. Why would you open DNS to the world?
How I fixed it
I reloaded
Set unbound settings
Set DNS servers in system > general
Disabled firefox DNS
Is now working correctly so far
There were a few changes in unbound
Enable DNS sec support
I have listen port on 853 for quad9 but its using 53
Flush Dns cache on reboot
And aggressive nsec
enabled query forwarding for dns.quad9.net at 9.9.9.9
but at the top it is using the DNS servers I listed in system > general
8.8.8.8,8.8.4.4,9.9.9.9
Probably why quad9 is using 53 instead of 853
enabled DNS over TLS with dns.quad9.net also on port 853
also at the top shows DNS servers set in system > general
havnt changed it yet
also made snapshot
doing good so far even if using 53
I will try that
I think it wasnt working when I didnt open those ports but will try again
It hits outbound servers on those ports
Inbound response is usually a high port number and covered by stateful firewall lets it in
Thanks I will definitely close that if I can
I will check the DHCP response
And the syn and rst packets response
I think ack is on the established port
And icmp
I will try it
thanks
Thanks, its working with no wan firewall rules but defaults
That closes a security hole, thanks
I unchecked the box in unbound query forwarding to use system DNS servers
So it uses the settings in Query forwarding and DNS over TLS
Did a reboot
But it is using quad9 but still outgoing 53 instead of 853 to quad9, but works
Maybe 853 is a subscription thing, will have to check
thanks