I'm seeing this exact issue: https://github.com/FreshTomato-Project/freshtomato-arm/issues/268
My parents have a Roku box that just started flooding DNS to its telemetry endpoints which are blocked by DNSBL policy. I'm seeing millions of requests in the reporting period (I think OPNsense keeps last 24 hrs). The only issue is that it's causing log buildup which is overwhelming the system. Memory use went from ~20% (baseline) to over 60%, mostly due to Unbound's logger (attached). The Unbound reporting is taking half a minute to load. Also seeing slowdowns in the live view and Firewall widget loading.
top-blocked.webp
What I did remotely was to force the WiFi client to reconnect via the UniFi console. Unfortunately it immediately started spamming DNS again once it reconnected. For the moment I've blocked the device from internet access.
The recommendation in the GH link is to redirect the telemetry endpoint to some blackhole IP instead of 0.0.0.0. I think that could end up being a maintenance issue if the hostnames change, so I'm wondering if I can instead rate limit the DNS requests just from this device? A quick forum search seems to indicate there's no way to do that, but I'm not sure. Appreciate tips on how to best proceed (short of throwing the Roku in the trash).
Why not redirect the Roku to 127.0.0.1, letting it spam itself?
It was tried (4th comment in the ticket) and apparently only worked initially.
Worth a shot, though.
(EDIT): I think the problem is that I would have to set up an alias with the specific telemetry endpoints to use as the destination in the DNAT rule. Roku apparently has many such endpoints. I can't keep such a list manually updated and reliable.
For example, in my logs it's spamming "brewster.logs.roku.com" but in the logs in the linked ticket it's spamming "bayside.logs.roku.com".
You might be able to use a firewall overload table combined with a block rule.
If your DNS rule matches and too many requests are sent then the client will be added to the defined overload table.
Then with a block rule before the dns allow rule, that client will then be blocked for some time.
But that would block all DNS traffic of that client. So kinda moot if it should still be allowed "something" and only telemetry should be blackholed.
If the telemetry endpoints are all under some certain wildcard domains you could also use a dnsmasq ipset alias to banish them to the shadow realm.
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
In AdGuard Home you could do something like this:
'rewrites':
- 'domain': *.logs.roku.com
'answer': 127.0.0.1
And in Unbound:
(https://forum.opnsense.org/index.php?action=dlattach;attach=55695;image)
Thank you, I added the host override in DNS but it looks like the Roku doesn't want to shut up. I tried both 127.0.0.1 and 192.168.254.254. The log spam continues.
Quote from: Monviech (Cedrik) on Today at 12:50:08 PMBut that would block all DNS traffic of that client. So kinda moot if it should still be allowed "something" and only telemetry should be blackholed.
If the telemetry endpoints are all under some certain wildcard domains you could also use a dnsmasq ipset alias to banish them to the shadow realm.
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
Yeah, I need for it to stay connected so they can watch TV and only the DNS spam should be controlled. A firewall rule for all *.logs.roku.com would let me disable logging so that could possibly do the trick, as long as they don't change it. Thanks, will look into this.
Long term, it would be nice for OPNsense to have a rate limiting function :)