Greetings. I would like some help setting up Unbound DNS Blocklist (DNSBL) with multiple physical interfaces.
I have a 4-port NIC and would like to utilize the "extra" ports. I have this working, but can't get DNSBL properly setup with multiple physical interfaces. DNSBL does work when I only use one interface for WAN and another for LAN. I followed both of these videos with success (just one technique or the other).
https://youtu.be/o12a2cFGopQ?si=P7tYFtYAZwS34qCM
https://youtu.be/C00L9ngsGsw?si=d8epbJ4IKOJJNRUe
DNSBL works with this configuration:
igb0: WAN
igb1: LAN
10.10.10.1/24 (1010 Home)
10.10.20.1/24 (1020 School)
10.10.30.1/24 (1030 Work)
When I add a second interface (UNSAFE on igb2), traffic on that interface doesn't seem to find a DNS server. If I add a DNS server in Services->DHCPv4->UNSAFE, then all the VLANS in UNSAFE interface can resolve domain names (thus, internet traffic), but not touched by Unbound's DNSBL. VLANS from the LAN interface continue to go through Unbound's DNSBL without any issue.
igb2: UNSAFE
10.20.10.1/24 (2010 Sarah)
10.20.20.1/24 (2020 Tom)
10.20.30.1/24 (2030 Walt)
Any suggestions for a neophyte is appreciated. Thank you.
What is "a DNS server"? If you want Unbound to block anything, you have to direct all clients via DHCP to "your DNS server", i.e. your own Unbound instance.
If the VLANs are separated (and why would you have those if they are not?), each interface would probably have their 10.x.y.1 address being set as both gateway and DNS server. If you do not set the DNS server explicitely, the ones you use are influenced by several settings. You can end up using your ISP's DNS servers or others.
Also, bear in mind that most browsers circumvent local DNS by using DoT or DoH per default these days, so be wary what you test.
P.S.: The way you describe it, IDK if your VLANs are really VLANs or just subnets on the same physical interface. Usually, you would end up having a logical interface for each VLAN, not just two (LAN and UNSAFE).
Quote from: meyergru on February 18, 2025, 11:56:15 PMWhat is "a DNS server"? If you want Unbound to block anything, you have to direct all clients via DHCP to "your DNS server", i.e. your own Unbound instance.
If the VLANs are separated (and why would you have those if they are not?), each interface would probably have their 10.x.y.1 address being set as both gateway and DNS server. If you do not set the DNS server explicitely, the ones you use are influenced by several settings. You can end up using your ISP's DNS servers or others.
Also, bear in mind that most browsers circumvent local DNS by using DoT or DoH per default these days, so be wary what you test.
P.S.: The way you describe it, IDK if your VLANs are really VLANs or just subnets on the same physical interface. Usually, you would end up having a logical interface for each VLAN, not just two (LAN and UNSAFE).
Thank you for your reply, @meyergru.
I have removed all VLANs to simplify the setup for now. DNS Server is not specified in System->Settings->General nor Services->ISC DHCPv4->LAN and Services->ISC DHCPv4->UNSAFE. In this case, clients on the LAN network go through my ISP's DNS server. Clients on UNSAFE network cannot resolve websites unless I specify a DNS server (Cloudflare, Quad9, etc...) in Services->ISC DHCPv4->UNSAFE.
I'm using Firefox, and DoH is set to OFF DoT is not set.
You could first find out if the clients on your UNSAFE network get a DNS server address via DHCP and then test if you can resolve addresses via that IP ("nslookup www.google.com a.b.c.d") or if you can ping it.
On LAN:
"nmcli dev list iface eno1 | grep IP4" points my IP4.DNS[1] to my OPNSense instance's IP.
On UNSAFE:
Linux:
"nmcli dev list iface eno1 | grep IP4" points DNS to UNSAFE's subnet 10.20.0.1
can't ping - name does not resolve
nslookup - timed out
Win10:
"ipconfig /all" also points DNS to UNSAFE'S subnet 10.20.0.1
can't ping - name does not resolve
nslookup - timed out
Quote from: NewMe on February 20, 2025, 02:09:26 AMOn UNSAFE:
Linux:
"nmcli dev list iface eno1 | grep IP4" points DNS to UNSAFE's subnet 10.20.0.1
can't ping - name does not resolve
nslookup - timed out
Win10:
"ipconfig /all" also points DNS to UNSAFE'S subnet 10.20.0.1
can't ping - name does not resolve
nslookup - timed out
Nope:
Quote from: NewMe on February 18, 2025, 11:27:47 PMigb2: UNSAFE
10.20.10.1/24 (2010 Sarah)
10.20.20.1/24 (2020 Tom)
10.20.30.1/24 (2030 Walt)
There is no "approximately" in networking, whatsoever. ;-)
Those VLANs currently don't exist...just LAN, and UNSAFE interfaces and their corresponding subnets.
Quote from: NewMe on February 19, 2025, 01:19:58 AMI have removed all VLANs to simplify the setup for now.
Can you ping 10.20.0.1 from UNSAFE clients?
- If not, look at routing and/or firewall rules.
- If yes and nslookup times out, try again with "nslookup www.google.com 10.20.0.1" to verify you are using the correct server.
- If that does not work and routing and firewall do not keep you from accessing the DNS server: Did you bind Unbound to "All Interfaces", i.e.: selected no single interface?
I can't ping 10.20.0.1 from UNSAFE clients.
I don't have any routing setup (if you mean System->Routes). Firewall rules block UNSAFE to "This Firewall" and allow internet access:
x IPv4 UNSAFE net * This Firewall * * *
> IPv4 UNSAFE net * * * * *
I have tried enable/disable:
> IPv4 TCP/UDP UNSAFE net * 172.0.0.1 53 (DNS) * *
"All" network interfaces are specified in Unbound as this was the default/recommended.
Additional info--
The following settings are checked:
Services->Unbound DNS->General
Enable Unbound
Enable DNSSEC Support
Register ISC DHCP4 Leases
Register DHCP Static Mappings
Services->Unbound DNS->Advanced
Hide Identity
Hide Version
Prefetch DNS Key Support
Harden DNSSEC Dataa
Strict QNAME Minimisation
And there you have it:
Quote from: NewMe on February 20, 2025, 05:01:14 PMFirewall rules block UNSAFE to "This Firewall" and allow internet access:
How do you expect that UNSAFE clients should be able to ping or access DNS (port 53) on 10.20.0.1 - which presumably is "This Firewall" with that blocking rule on top of the list?
YAY!!! This is working by removing that rule.
My only excuse is that I'm an OPNSense noob. Trying to be security conscious, I'm trying to protect the fw as much as possible. I already have System->Settings->Administration to only allow LAN as the listen interface. At some point, I thought that blocking rule would be an added layer. It's just my misunderstanding of how that works.
Thank you very much for solving this for me. I appreciate your help!