Since a couple of days I see the following behaviour:
- on external DNS server (i.e cloudflare, nextdns,...) there are multiple requests pointing to other DNS servers all around the world;
- the ID source of these call is the Unbound server within the OPNSENSE;
- looking to reporting/unbound dns/details there is no record of any of such calls;
- looking to services/undound dns/ log file there are records of such calls but I can't identify the source yet
- trying to get the IP behind such dns servers and check the firewall log, still gives no answer.
Some of the addresses are: dns4me.net, dns.0x55.net, dns.0ooo.icu, dns-gcp.aaflalo.me, dns.688447.xyz ...
Strange thing is that I blocked bing.com in the blacklist of Unbound DNS, but I still see requests on the external DNS server.
Any hint about how to proceed? Thank you
You need both control and enforcement.
Control - use a single DNS authority in your environment. AdguardHome is a good option, pi-hole a distant second one which I don't recommend.
Enforcement - You can either block all outbound DNS requests from every machine on the FW - but this option leaves you rather blind in terms of who's trying to go where based on DNS requests - or use a port forward to transparenly redirect all udp/tcp53 queries to AdguardHome.
Last but not least, don't forget browsers/phones/tablets will try to force their own DNS settings which may be encrypted - you'll want to make sure only your chosen DNS server answers and nothing else is allowed to escape.
Hi newsense, thankd for the reply. I agree with you in general terms, but my main problem here is that I can't understand the originator of these dns calls.
I found also that perfoming a ping from opnsense, is not reported inse the livenlog of the firewall...I am missing something? I expected to see any connection inside the live log and see every dns request inside the unbound report page.
I believe that these call are done by the firewall itself (maybe are the repositories of filtering lists), but i cannot see these requests (and investigate) nor in the unbound reporting, nor in the firewall log. I can instead find them inside the sevices/unbound dns/log file.
I remember that before the Logs collected also the caonnection intiated by the firewall itself (maybe I am wrong).
Many thanks.
The problem identified was the change in the format of blocking lists I use with Unbound dns, I tried to switch from the usual "asterisc wildcard" to the RTP format.
The second is not compatible and as a result, the firewall started to randomly call the addresses reported inside (one of the lists is referred to DNS services).
I restored the old format, and (for now) everything seems to be back to normal.
Thanks