Hello OPNsense Community,
Is this not right?
It looks like AdGuard blocks a rule here:
Adguard3.png
And then passes the same rule here:
AdGuard2.png
AdGuard setup is listening on port 53 and forwarding to unbound to port 8953.
Can someone please offer advice?
OPNsense 25.1.6_4-amd64
AdGuard Version: v0.107.61
The 2nd query is for a completely different domain, likely the result of DNS domain search list.
I appreciate your response.
The domain search seems to be happening as a result of what you said and maybe because of the AdGuard Home (running in OPNsense) setting:
Enable private reverse resolving of clients' IP addresses.
The dig I did on alb.reddit.croapino.com returned an authorative answer from Cloudflare:
;; AUTHORITY SECTION:
croapino.com. 1800 IN SOA rosa.ns.cloudflare.com. dns.cloudflare.com. 2372814465 10000 2400 604800 1800
;; Query time: 35 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue May 20 09:57:17 EDT 2025
;; MSG SIZE rcvd: 115
My big question is, does this mean that these second DNS (domain) queries are slipping by my router? Basically rendering the AdGuard DNS filter useless in this case?
aguard is not "useless" - it is doing exactly what it is required: resolve domains.
the fact is, you do not have a rule to block subdomains for "croapino.com", so they get resolved.
this is likely being added due to your domain that's been set in opnsense and assigned to try to query it if a lookup fails.
the better question is: if you do not own the croapino.com domainname, why did you configure it (instead of, say, local.internal) ?
it shouldnt have anything to do with the private reverse resolving, because it's trying to resolve a domain, not an ip.
Thank you.
I should have mentioned, I do own croapino. In the past I was trying to do a setup to avoid the web self-signed certificate thing but that got messy (some lack of knowledge) so I did away with that remedy but held on to croapino.
Does this paint a clearer picture and does it change your perspective of my setup? Do you see any gaps and/or should I revert OPNsense (in Settings > General) to local.internal?
Best
If you setup a domain in the General Settings (or per subnet in DHCP), that domain is given to DHCP clients via option 119.
https://en.wikipedia.org/wiki/Search_domain (https://en.wikipedia.org/wiki/Search_domain)
The idea is that you can enter hostname only, and DNS lookups for hostname or hostname.<search_domain_list_entry> are done.
This applies to other typed hostnames too... in your case alb.reddit.com
What's returned for an IP for alb.reddit.com.croapino.com is what YOU configured for it. NOT the IP of alb.reddit.com...
Only you can decide what's appropriate for your OPN domain. It depends how you use it...
ok, so what's happening is basically:
adguard tries to resolve a host (fails due to blocklist)
then it adds your domain (which usually is internally only) to the domain, and tries again
if you have adguard setup to forward all (non-blocked) queries to unbound, then you will have to verify in unbound if the query was leaked onwards to upstream,
or if opnsense/unbound responded with a result from the local registry.
it's been ages since i messed with dns split brain config, because keeping track of internal & external routing and authoritative responses is... annoying,
which is one of the (multiple) reasons to just use an internal hostname on your network.
(that's not to say you can't do it though)
you could setup a rule in adguard that it sends all queries to an external dns server directly instead of opnsense, and then route only croapino.com back to unbound (settings/dns settings/upstream dns servers : [/croapino.com/]127.0.0.1:8953 )
also go to unbound / advanced / general and set private domains to croapino.com in opnsense so the domain is allowed to have private IPs in it.
i can't guarantee it will work completely, but in this situation your client will query adguard for the domain,
adguard will block and then add the full hostname, then see that queries for that hostname need to be sent to opnsense, and opnsense should respond with either a failure or a resolved host for a local machine, without going to any upstream dns server.
... it could also end up looping back to adguard if it tries to resolve it though, so do check your logs when trying this change :)
Quote from: ThuTex on May 20, 2025, 09:23:26 PMadguard tries to resolve a host (fails due to blocklist)
Correct.
Quote from: ThuTex on May 20, 2025, 09:23:26 PMthen it adds your domain (which usually is internally only) to the domain, and tries again
No, it doesn't. A DNS resolver never adds domains to the client's query. The client's resolver library having received a negative response for its first query adds every configured "search domain" to the query in turn and tries again.
A resolver only ever tries to resolve and return exactly what is queried.
HTH,
Patrick
Quote from: Patrick M. Hausen on May 20, 2025, 09:37:30 PMNo, it doesn't. A DNS resolver never adds domains to the client's query.
true, bad wording on my part, i should have said 'then the client' instead of 'it' which implied adguard itself.
for that matter, i probably should also have said "adds your search domain to the domain" instead of just "domain to the domain"
.... time to leave the computer for the day :)