OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Ricardo on November 06, 2018, 01:44:57 pm

Title: Note for config hardening of Unbound interface
Post by: Ricardo on November 06, 2018, 01:44:57 pm

Hello,

just wanted to record this as a note to anyone, who falls into the same trap:

If you wanted to be on the safe side, and worried about the default config:

Services \ Unbound DNS \ General \ Network interfaces:

Interface IPs used by the DNS Resolver for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

So I wanted to allow access only from the LAN, and don't want to provide any access to my local DNS sourced from the WAN. In this case, make sure you add both the "LAN" and the "localhost" to the "Network interfaces"!

If you forget adding "localhost" into the Network intefaces, you will break the opnsense box itself from getting working name resolution, as by default opnsense assumes 127.0.0.1 as the primary nameserver.
Unless System \  Settings \ General \ "Do not use the local DNS service as a nameserver for this system" is enabled. (By default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbund is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers. )

Title: Re: Note for config hardening of Unbound interface
Post by: franco on November 06, 2018, 11:05:35 pm

Hi Ricardo,

That's only partly true. While Unbound listens to all (0.0.0.0 and ::) WAN access is blocked by default via the firewall.

Binding specific interfaces can break setups, subtle or not so subtle, now or in the future when you forgot all about the hardening done in the first place.

In 19.1 "localhost" will always be an automatic listen (at least 127.0.0.1 anyway). Unbound until 18.7 still uses an old-school approach so that gives extra trouble.


Cheers,
Franco

Title: Re: Note for config hardening of Unbound interface
Post by: Ricardo on November 27, 2018, 12:43:32 pm

Quote from: franco on November 06, 2018, 11:05:35 pm

Hi Ricardo,

That's only partly true. While Unbound listens to all (0.0.0.0 and ::) WAN access is blocked by default via the firewall.

Binding specific interfaces can break setups, subtle or not so subtle, now or in the future when you forgot all about the hardening done in the first place.

In 19.1 "localhost" will always be an automatic listen (at least 127.0.0.1 anyway). Unbound until 18.7 still uses an old-school approach so that gives extra trouble.


Cheers,
Franco

Noted. I agree by "default block all" should catch such traffic, but its always better to stop traffic as close to the source as possible. Limiting listening interfaces for name resolution is a good way to eliminiate even the chance of being part of a DNS amplification attack. Simply because the dns server is unreachable from the WAN IP. A firewall misconfig may open the door, so its more safe if the service is explicitely cannot communicate on that IP. But agree that it mas cause other sideffect.
Same with NTP service. Limiting to the LAN, and not even listening on the WAN interface is also a preventive step.