OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: Siarap on April 16, 2025, 05:41:21 AM

Title: Weird DNS behavior.
Post by: Siarap on April 16, 2025, 05:41:21 AM
My maltrail instance on 25.4 detects malicious dns queries from my wan address on port 53. Decided to block outbound connections from wan with destination port 53. I have enabled dns over tls(quad9). When i block port 53 im loosing dns resolving. No domains are resolved. So all the time i had no dns encryption? What servers opnsense is using then? Why tls port 853 is not used?

EDIT: This dns servers was used to resolve malicious domains ips: 162.159.38.3, 172.64.35.93, 192.33.14.30 . I never set anywhere this ip addreses. I got enabled unbound as resolver + dns over tls.

This domains was resolved: cdn.prod.website-files.com, prod.website-files.com, .website-files.com
Maybe its just false positive in mailtrail?
Title: Re: Weird DNS behavior.
Post by: doktornotor on April 16, 2025, 05:38:17 PM
Quote from: Siarap on April 16, 2025, 05:41:21 AMWhen i block port 53 im loosing dns resolving.

That is super shocking... 😜
Title: Re: Weird DNS behavior.
Post by: Siarap on April 16, 2025, 06:16:40 PM

That is super shocking... 😜
[/quote]

Exactly because ive set 853 tls for dns, and blocking outgoing port 53 connections from wan.
Title: Re: Weird DNS behavior.
Post by: CJ on April 28, 2025, 04:21:25 PM
Quote from: Siarap on April 16, 2025, 06:16:40 PMExactly because ive set 853 tls for dns, and blocking outgoing port 53 connections from wan.

Outgoing firewall rules are almost never what you want.  You'd have to explain your setup and rules more for us to know what you're running into.

In the meantime, I wrote about this some time ago so you may find the posts helpful.

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-1/

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-2/
Title: Re: Weird DNS behavior.
Post by: EricPerl on April 28, 2025, 09:41:01 PM
Sharing screenshots of your DNS setup on OPN would help.