My maltrail detected mass connection to malware related domains in about 3 minutes (many different domains). This gonnections was made over port 53 even when i have set dns over tls. This connecions was made from WAN ip adress not from lan. Is it possible that my opnsense instance is infected?
EDIT: Currently partially solved by blocking outgoing traffic from WAN with port 53 destination. But i am network newbie i dont know its enough.
Everything is possible - analyse the traffic with a packet trace, then try to find the source process with sockstat and friends ... do a packet trace on LAN, too, just in case ... etc.
I dont know do i can handle it alone. Im just user looser and newbie.
Quote from: Siarap on September 24, 2025, 06:45:20 PMThis connecions was made from WAN ip adress not from lan.
Are you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...
Quote from: meyergru on September 24, 2025, 07:11:11 PMQuote from: Siarap on September 24, 2025, 06:45:20 PMThis connecions was made from WAN ip adress not from lan.
Are you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...
I got blocked traffic over port 53 to the internet from lan and port forward to redirect all dns trafic generated in lan to 127.0.0.1 (unbound). Then unbound with blocklists then traffic goes to the quad9 dns also with own blocklists. Please READ CAREFULLY what i wrote. When i say from WAN i mean from WAN not lan. Maltrail also says clearly what interface generate traffic. AND my dns connection goes trough TLS. Thats why i dont understand why port 53 connections from WAN.
IMHO this is not diagnosable via a forum. You need to find some one knowledgable and give them hands on access to your machine. It's not rocket science but it needs familiarity with common Unix network and diagnostic tools.
I dont know such person. I try fight this threat on my own. Partially solved by blocking outgoing trafic to port 53 from WAN. But what if malware use dns over https instead raw dns on port 53?
Save your config, reinstall OPNsense wiping everything, restore your config, upgrade to latest version. Watch what happens.
Disconnect everything from your LAN, leave your OPNsense running. Connect a known good PC directly to the LAN port. Watch if the problem persist. If it doesn't it's not your OPNsense. Reconnect your switch if present. Power on one device at a time, each time observe what happens. So you can identify the device that causes the suspicious traffic.
Maltrail plugin already identified device. SOURCE is WAN ip address not lan ip address. I got another traffic from lan addresses. Im runing maltrail on any WAN/LAN/VLAN interface because i got them all. Previously suricata detected MANY exploits going on WAN address But this attacks stopped (they were blocked by et telemetry ruleset). Any of my devices in VLAN is separated by VLAN. Few days ago i have MASS port scan from multiple domains/ip ranges which was detected and blocked by crowdsec. I dont know what they looking because i have literally NOTHING here . Im just gamer who like privacy and security. They will be upset when they break in hahaha.
Do you have any inbound open ports on WAN? For any services that run directly on your OPNsense?
ALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.
Even if the requests themselves are done from OpnSense itself, it might still be a proxy thing for your LAN. You did not say anything about the DNS setup on your site up to your answer, so this was speculation. If you are so sure that OpnSense itself is infected, then fine, do as Patrick says.
I still say that an infection on one of your clients is 10 times more likely than one on OpnSense, but YMMV. Good luck.
Quote from: Siarap on September 24, 2025, 08:56:02 PMALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.
Then nobody can possibly have infected your OPNsense directly from outside. From inside via a previously infected client - yes. But as @meyergru wrote: highly unlikely.
Turn on the query log for whatever you use as a recursive server on your OPNsense, watch them, try to find the source of the queries step by step. Only method. No silver bullet.
If you want more help let's start with you describing your DNS setup in detail. Which servers - Unbound, DNSmasq, Adguard Home ... to which ports are they bound ... how did you configure DoT ... how exactly (show the firewall rules!) did you make sure clients cannot go directly to the Internet ...
The problem is - you probably think there's something obvious that experienced people like @meyergru and me know. Fact is, there is nothing obvious. It's all 100% particular to your specific configuration. When trying to help we build a mental image of your network (lacking real access). For that to be successful we need
all relevant information.
Quote from: Patrick M. Hausen on September 24, 2025, 09:07:55 PMQuote from: Siarap on September 24, 2025, 08:56:02 PMALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.
Then nobody can possibly have infected your OPNsense directly from outside. From inside via a previously infected client - yes. But as @meyergru wrote: highly unlikely.
Turn on the query log for whatever you use as a recursive server on your OPNsense, watch them, try to find the source of the queries step by step. Only method. No silver bullet.
If you want more help let's start with you describing your DNS setup in detail. Which servers - Unbound, DNSmasq, Adguard Home ... to which ports are they bound ... how did you configure DoT ... how exactly (show the firewall rules!) did you make sure clients cannot go directly to the Internet ...
The problem is - you probably think there's something obvious that experienced people like @meyergru and me know. Fact is, there is nothing obvious. It's all 100% particular to your specific configuration. When trying to help we build a mental image of your network (lacking real access). For that to be successful we need all relevant information.
default dhcp with dnsmasq>> unbound with blocklists >> dns over tls to quad9 with blocklists. From lan side is blockrule to block all outgoing traffic to any destination with port destination 53 + port forward at lan/vlan side to redirect all unencrypted dns traffic to unbound. Also blocked outgoing tls dns from lan. And still get dns traffic from wan not lan which points to malware related domains. Even with infected client on lan side how it is still possible over port 53 unencrypted dns when i set dns over tls? Im doing something wrong? My dns still leaking? And this malware traffic is directed to random dns ervers different than quad 9. Tried dnsleaktest site and there is no leak detected.
My first step would be: what queries exactly? Maybe the domains asked for already show a pattern ...
this is small part of queries. (screen from maltrail plugin)
https://imgur.com/a/vnVEavj (https://imgur.com/a/vnVEavj)
Please attach on this forum. I block external image hosting sites.
Quote from: Patrick M. Hausen on September 24, 2025, 09:43:06 PMPlease attach on this forum. I block external image hosting sites.
When i try post image it asks me for https link.
Click on "Preview" and you can upload images directly to the forum.
Smart part. There was hundreds of them in 3 minutes. This is screen from maltrail plugin.
On a first look, these seem to be requests for the Mirai botnet, which mostly attacks IoT devices, potentially also other Linux hosts. You could very easily isolate if this is the case by just capping off your LAN network, attach a Windows PC to your OpnSense and then see if those accesses stop.
Once devices have been infected, there are usually free rider malwares that add on to that, which could explain the other malware signatures that are found.
How to identyfi specific device? Maltrail shows WAN as sourve of traffic not lan/vlan device.
I got iptv decoder maded in china from my isp i cant change it. I cant unplug devices my family uses internet/tv.
Is there way to identyfi device without unpluging?
Why my dns setup still leaking?
Do a tcpdump on the LAN port. I would argue either there WAN requests are directly NATed from there or proxied via one of your DNS services on the firewall. Just listen on any port those services expose.
Another potential would be a web proxy on your firewall that is used by your LAN clients and making those requests on behalf of them.
In that case, look at the proxy logs.
Quote from: meyergru on September 24, 2025, 07:11:11 PMAre you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...
Yep.
This is why it's best to dst NAT (WAN out rule) any outbound DNS to 9.9.9.11 or the like. Because OPNsense has that default "allow from self", so to protect against self (malware) using some other DNS that would return malware IP from query, forcing it with NAT to a malware blocking DNS service would help. Not 100%, but helps.
All DNS settings should be using malware blocking DNS service, and, WAN out NAT rule to force all DNS to a specific server, even if it's the same as dns from dhcp or hard set on hosts.
Another tip for OP, connect all your IoT things (streaming devices like roku /crappleTV, TV's , T-stats, fridge, washing machine, etc etc) to a different fw LAN port to isolate that crud from your computer stuff. I have a separate wifi AP for all the IoT crud in my house.
Quote from: BrandyWine on September 24, 2025, 10:50:00 PMQuote from: meyergru on September 24, 2025, 07:11:11 PMAre you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...
Yep.
This is why it's best to dst NAT (WAN out rule) any outbound DNS to 9.9.9.11 or the like. Because OPNsense has that default "allow from self", so to protect against self (malware) using some other DNS that would return malware IP from query, forcing it with NAT to a malware blocking DNS service would help. Not 100%, but helps.
All DNS settings should be using malware blocking DNS service, and, WAN out NAT rule to force all DNS to a specific server, even if it's the same as dns from dhcp or hard set on hosts.
Can you tell me how to do this? Im newbie. And thanks for info im using 9.9.9.11 over tls but there are leaks currently.
I got port forward rule on lan side like this:
LAN TCP/UDP * * * 53 (DNS) 127.0.0.1 53 (DNS)
and mallwares do what they want. and there are leaks.
This below is good?
WAN TCP/UDP * * WAN address 53 (DNS) 9.9.9.11 53 (DNS)
I got important question. What if malware starts using dns over https?
Botnet solved partially. At the end i blocked all outgoing trafic from wan directed to dns port 53 and i have dns over tls directed to 9.9.9.11
Now i dont see warnings related to dns and botnets.
Quote from: Siarap on September 24, 2025, 11:29:36 PMI got important question. What if malware starts using dns over https?
This nat trick is in another thread, I have to find it.
You add a NAT rule as a WANout rule, src-any dst-any dst-port tcp/udp-53, nat dst-IP to 9.9.9.11
You do also want your std access LAN rule for dns, allowing your LAN net to 9.9.9.11 tcp/udp-53
DNS over HTTPS? Well, there are two ways (mostly) to get to a site, direct IP and FQDN. If it's FQDN then nat trick still helps. If its direct IP and you allow dst-Any for tcp-443, then there's a challenge. For that issue you have to look at suricata IDS, apply it's function to WAN and LAN. It helps, but not 100%
Quote from: Siarap on September 24, 2025, 11:29:36 PMBotnet solved partially. At the end i blocked all outgoing trafic from wan directed to dns port 53 and i have dns over tls directed to 9.9.9.11
Now i dont see warnings related to dns and botnets.
Well, "solved" would be to find the root cause and eliminating it. As long as you have infected clients in your LAN, this is not over. Even more so with the observation that already, multiple trojans seem to have invaded your network and it seems not to be segmented into different levels of security by VLANs. Such as it is, the bots are free to spread in your network - you just do not see that any more.
How is your Maltrail configured now, e.g. are you using firewall rules to block packets on WAN and LAN, IN and/or OUT, and on which interfaces?
Quote from: BrandyWine on September 25, 2025, 06:42:29 AMQuote from: Siarap on September 24, 2025, 11:29:36 PMI got important question. What if malware starts using dns over https?
This nat trick is in another thread, I have to find it.
You add a NAT rule as a WANout rule, src-any dst-any dst-port tcp/udp-53, nat dst-IP to 9.9.9.11
You do also want your std access LAN rule for dns, allowing your LAN net to 9.9.9.11 tcp/udp-53
I just set dns over tls to quad9 in unbound and blocked all outgoing from wan to port 53 using firewall rule. I dont see any leaks now in maltrail. But my blocklist for blocking dns over https started to block more and more.
Quote from: allenlook on September 25, 2025, 02:15:52 PMHow is your Maltrail configured now, e.g. are you using firewall rules to block packets on WAN and LAN, IN and/or OUT, and on which interfaces?
Im using fail2ban from maltrail in on wan and out on lan. My other blocklists have over 15 milions unique ip addresses. Fight never end.
Quote from: meyergru on September 25, 2025, 08:39:53 AMWell, "solved" would be to find the root cause and eliminating it. As long as you have infected clients in your LAN, this is not over. Even more so with the observation that already, multiple trojans seem to have invaded your network and it seems not to be segmented into different levels of security by VLANs. Such as it is, the bots are free to spread in your network - you just do not see that any more.
Nothing spreads because i have vlan separation . Formated all drives in my gaming machine. Scaned other client with linux using clamav with no detections. I just cant scan/format my iptv decoder. Iptv decoder is made in china. Nobody knows what this device can do. I got this iptv from isp and cant change it,