hi all,
enabled DNS over TLS via here
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dot-on-opnsense
getting stuck when i create my own fw rules and nat to stop 53 out
as i have a few fw rules, should i create the block for 53 at the bottom so its first or at the top
thanks,
rob
Firewall rules are processed from top to bottom, so top
thanks RamSense
doing this command on my opnsense
tcpdump -i vtnet0 port 853
should i replace vtnet0 with my lan or wan interface?
thats very wierd i made a floating rule to block 53 and it worked as i couldnt access any websites anymore but when i did a tcpdump on my lan interface on 53 i could see loads of activity so somethings wierd, so it looks like my DoT isnt working
thanks,
rob
reading this
In order to provide a secure and verified environment, it is advisable to use a firewall rule to prohibit any outgoing DNS traffic on port 53 when using DNS over TLS. If clients choose to directly query other nameservers on their own, a NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.
ive done the block rule
IPv4+6 TCP/UDP * * ! RFC1918 53 (DNS) * * block LAN DNS to internet
but how do i set up the NAT
what do i put in
destination - any
destination port range - 53
redirect target ip - 127.0.0.1/32 or "this firewall"
redirect target port - 53
thanks,
rob