Hi everyone,
I'm trying to force all DNS traffic through my Unbound resolver on OPNsense for both IPv4 and IPv6. Here's what I have configured:
Two Destination NAT Rules one IPv4 an IPv6 (Redirect DNS 53 to Unbound)
Sequence: 100
Description: Reroute Port 53
Interface: LAN
Version: IPv4
Protocol: TCP/UDP
Source:
(Advanced) Invert Destination: ✔ checked
Destination:
Destination Address: LAN address
Destination Port: 53 (single port)
Translation:
Redirect Target IP: Loopback network
Redirect Target Port: 53 (single port)
Pool Options: Default
Options:
No RDR (NOT): unchecked
Log: unchecked
No XMLRPC Sync: unchecked
NAT Reflection: Disabled
Set Tag / Match Tag: empty
Firewall Rule: Pass
LAN Firewall Rule (Block Outgoing DNS 53)
Quick: ✔ checked
Action: Block
Interface: LAN
Protocol: TCP/UDP
Direction: Out
Version: IPv4+IPv6
Source: Any
Destination: Any
Destination Port: 53
Destination NAT rule: Redirect all port 53 traffic (TCP/UDP) from LAN to Unbound (loopback).
LAN firewall rule: Block all outgoing port 53 (to force clients to use Unbound).
The problem:
With these three rules enabled, my Chromecast cannot connect to Wi-Fi.
If I disable both rules inclsuive the LAN block rule, Chromecast works fine.
I also tried setting Google DNS (8.8.8.8 / 8.8.4.4) in Unbound with no block rules, but it still doesn't work.
I'm not sure why blocking port 53 + NAT is breaking Chromecast.
Seems like i just had to set 127.0.0.1 for IPv4 and for IPv6 ::1 instead of Loopback Network ...
Quote from: MrHappyHippo on Today at 04:33:51 PMSeems like i just had to set 127.0.0.1 for IPv4 and for IPv6 ::1 instead of Loopback Network ...
::1 is a bit of a pitfall in DNAT rules. OPNsense needs a routable IP as the redirect target, so this doesn't work. You can set up a ULA on loopback for this purpose.
Your chromecast is probably using DNS over IPv4 if it's working now, or it's going direct to the IPv6 listener address.
BTW, I recently also learned that you don't need DNS over both protocols at all. DNS is DNS... whether it's over IPv4 or IPv6 doesn't matter. It can serve A and AAAA records all the same. So, in a dual stack network, it's often much simpler to just run DNS over IPv4 exclusively. This is especially true if you have dynamic prefixes and need to define ACLs or networks for DNSBL policies in Unbound (only possible with ULAs in that case).
I'm having a dynamic prefix. I'll try fix it with a ULA instead.
Good point as well about DNS only needing one protocol.
If you use destination NAT with 127.0.0.1 whatever the service and completely independent of OPNsense, the reply packets are generated with a source address of 127.0.0.1, which is then source NATed back to the public address to achieve bidirectional flow.
In the case of ::1 the relevant RFC explicitly forbids ("MUST NOT") a packet with a source of ::1 ever leaving a conpliant system. So the FreeBSD network stack drops every IPv6 packet with a loopback source that does not also have a loopback destination.
That's why it does not work with IPv6.
Would it be possible to use the Alias "This Firewall" as the redirect target instead of the ULA address? I guess not since its also a set of addresses and not a single address. My issue is that I think it behaves dynamically, meaning its value may depend on where it is used.
Quote from: MrHappyHippo on Today at 09:38:16 PMWould it be possible to use the Alias "This Firewall" as the redirect target instead of the ULA address?
No.
Define an arbitrary ULA, assign to lo0 with /128 netmask, use that.