OPNsense Forum
English Forums => General Discussion => Topic started by: opnsenseuser on November 12, 2018, 01:41:36 pm
-
There is 1.1.1.1 and 9.9.9.9 but are there any other Servers?
I read on the internet that opendns is not recommended because they are related to hijacking nxdomain records and serving up their ad page?
does anyone know safe and fast dns server?
Thx,
Regards
Rene
-
https://dnscrypt.info/public-servers/
Some of them probably support plain dns. dnscrypt plugin will comes in a few weeks ..
-
I have tried to check the link but apparently the webiste is down.
-
Hm, works for me
-
This morning I tried from my connection and VPN and it was down. I confirm it is back online now.
-
https://dnscrypt.info/public-servers/
Some of them probably support plain dns. dnscrypt plugin will comes in a few weeks ..
I
Thx for your help.
Two questions:
1. how can i find out if my provider blocks my dns Servers? see https://www.dnsleaktest.com/what-is-transparent-dns-proxy.html
2. Does opnsense offer the possibility to do something about this?
3. how can i find out which dns Server of my list my Firewall currently uses?
Can i use nslookup on the Firewall?
Regards rene
-
Hm, works for me
ok, i found out that my provider uses a transparent dns proxy!
So my provider can log every visited website from me.
Can I do anything with opnsense here?
regards rené
-
Hi René
Can I do anything with opnsense here?
You currently have two options:
1. Find a better provider ;)
2. Sign up with a VPN and run all your outbound traffic through them
Once the dnscrypt plugin is added to OPNsense, this will no longer be a problem.
Bart...
-
Hi René
Can I do anything with opnsense here?
You currently have two options:
1. Find a better provider ;)
2. Sign up with a VPN and run all your outbound traffic through them
Once the dnscrypt plugin is added to OPNsense, this will no longer be a problem.
Bart...
thx for your help!
1. so if dnscrypt plugin is added i don´t need to use vpn ?
2. this works synonymous with squid or is that in no connection ?
regards
rené
-
Hi René,
Yes, DNS will flow securely through dnscrypt which will foil any attempt to transparently proxy the traffic, since that will be seen as a MITM attack. The two benefits of secure protocols are encryption and verification of endpoints.
Squid services a different protocol although it is susceptible to transparent proxies as well; your ISP can transparently inspect and proxy any HTTP traffic, but HTTPS traffic is protected.
Bart...
-
Hi René,
Yes, DNS will flow securely through dnscrypt which will foil any attempt to transparently proxy the traffic, since that will be seen as a MITM attack. The two benefits of secure protocols are encryption and verification of endpoints.
Squid services a different protocol although it is susceptible to transparent proxies as well; your ISP can transparently inspect and proxy any HTTP traffic, but HTTPS traffic is protected.
Bart...
Thx for your Information. :-)
In which opnsense release will the new plugin appear?
-
It's under review, just watch the open PRs
-
It's under review, just watch the open PRs
Hope to See this Plugin soon!
-
It's under review, just watch the open PRs
https://github.com/opnsense/plugins/pull/965 "merged" ! great work! :-)
is there also a howto in which I could solve the problem described by me!
i mean this -> "my provider uses a transparent dns proxy!" -> how can i solve this , that my Provider can´t read my sites i visited using this plugin?
regards rené
-
With 18.7.8 you'll have a devel pkg to install, then you forward unbound to dnscrypt-proxy like here:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
Then your DNS is forwarded via port 853 so it wont be intercepted ...
-
With 18.7.8 you'll have a devel pkg to install, then you forward unbound to dnscrypt-proxy like here:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
Then your DNS is forwarded via port 853 so it wont be intercepted ...
thats really really great! thx very very much!! :-)
-
With 18.7.8 you'll have a devel pkg to install, then you forward unbound to dnscrypt-proxy like here:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/
Then your DNS is forwarded via port 853 so it wont be intercepted ...
sorry, but on 18.7.8 i can´t find the plugin!
-
It's in development mode, so you need -devel installed or type:
# pkg install os-dnscrypt-proxy-devel
Cheers,
Franco
-
It's in development mode, so you need -devel installed or type:
# pkg install os-dnscrypt-proxy-devel
Cheers,
Franco
so on 19.1 dev mode it isn´t avaible?
regards,
René
-
I'm seeing it in the list GUI list... os-dnscrypt-proxy-devel ... :)
-
I'm seeing it in the list GUI list... os-dnscrypt-proxy-devel ... :)
sorry, there is no new plugin!
1. i did opnsense-code core
2. i did opnsense-code plugin
3. cd /usr/core
4. make upgrade
5. did a restart -> no difference!
see my screenshot
-
only this
pkg install os-dnscrypt-proxy-devel
works for me
-
make upgrade in core only upgrades UI, not Kernel or Plugins or pkg .. :)
-
make upgrade in core only upgrades UI, not Kernel or Plugins or pkg .. :)
i also tried opnsense-update -kr 18.7.8
Fetching kernel-18.7.8-amd64.txz: .. failed
-
is not that important. it works with the help of
pkg install os-dnscrypt-proxy-devel
now without problems. Now it's time to configure.
Thanks again, best regards, René
-
make upgrade in core only upgrades UI, not Kernel or Plugins or pkg .. :)
i also tried opnsense-update -kr 18.7.8
Fetching kernel-18.7.8-amd64.txz: .. failed
only opnsense-update .. nothing else. -kr would install a kernel and 18.7.8 has no new kernel ;)
-
i have two vm´s . the first vm it doesn´t work even after using opnsense-update
the other vm works without any problems.
@mimugmail thx for your support. :-)
@mimugmail will there be a documentation on opnsense wiki?
-
When it's stable, yes. At first you just need the redirect part for Unbound in the link I posted before.
Then enable the service, choose the values you insist, like nolog, dnssec etc. and the program searches the correct and fastest DNS servers for you.
-
As for DNS servers I don't recommend adguard.
I use uBLOCK Origin through firefox as a add on and it blocks much more than adguard. Not just a little bit but a whole lot like on one site 56 more blocks.
I'm also searching and trying DNS servers myself currently.
Trying to avoid IDS/IPS and anything that needs a proxy but it looks more and more like that might be the final solution.
-
I'm running dnscrypt here at home, added a Port Forward for every DNS request to localhost 5353 .. works great :)
-
@mimugmail where can i set the dns servers i want to use ? in the forwarders tab from dnscrypt?
see (forwarders screenshot)
is my setting right i did in the nat forwarding? i want that all lan1 clients use this plugin
see my screenshot
and do i need this if i want to use unbound for local dns resolutions? or can i enter my local dns server in forwarder tab to use my local dns server for local resolutions on my lan?
Fixed Unbound Config
When you think your setup runs stable and you still need your Unbound cause of local overrides you can set BIND as your forwarder in Unbound. Just add this to yout custom options field:
do-not-query-localhost: no
forward-zone:
name: „.“
forward-addr: 127.0.0.1@53530
are these settings correct? see result dns-leak-test screenshot?
regards
rené
-
The DNS servers are chosen randomly from this list:
https://dnscrypt.info/public-servers
If you set dont use server which are logging then the one from this list wont be used, same for ad blocking and dnssec. That's why you will always fail for these tests ...
Just do a tcpdump on your WAN and port 53 .. you wont see any traffic ..
With forwards you can set your internal domain and a DNS server, yes.
-
The DNS servers are chosen randomly from this list:
https://dnscrypt.info/public-servers
If you set dont use server which are logging then the one from this list wont be used, same for ad blocking and dnssec. That's why you will always fail for these tests ...
Just do a tcpdump on your WAN and port 53 .. you wont see any traffic ..
With forwards you can set your internal domain and a DNS server, yes.
thx very much for your support! :-)
igb0 = WAN interface
if i use
tcpdump -i igb0 port 53
sorry, there is traffic!
16:07:08.136458 IP ns-614.awsdns-12.net.domain > router.athome.net.30111: 54844*- 6/4/1 A 54.201.6.28, A 54.187.176.55, A 52.35.215.194, A 34.212.119.231, A 52.35.21.241, A 52.88.72.192 (284)
16:07:08.139108 IP router.athome.net.59771 > arin.authdns.ripe.net.domain: 17769% [1au] A? 35.52.in-addr.arpa. (47)
16:07:08.144573 IP ns-620.awsdns-13.net.domain > router.athome.net.62110: 42129*- 1/4/1 PTR ns-614.awsdns-12.net. (228)
16:07:08.190337 IP arin.authdns.ripe.net.domain > router.athome.net.59771: 17769- 0/7/1 (388)
16:07:08.190731 IP router.athome.net.46171 > pdns1.ultradns.net.domain: 27101% [1au] A? 215.35.52.in-addr.arpa. (51)
16:07:08.217986 IP pdns1.ultradns.net.domain > router.athome.net.46171: 27101*- 0/1/1 (122)
16:07:08.218357 IP router.athome.net.43279 > pdns1.ultradns.net.domain: 36089% [1au] A? 194.215.35.52.in-addr.arpa. (55)
16:07:08.244808 IP pdns1.ultradns.net.domain > router.athome.net.43279: 36089*- 0/1/1 (126)
16:07:08.245180 IP router.athome.net.11939 > pdns1.ultradns.net.domain: 28605% [1au] PTR? 194.215.35.52.in-addr.arpa. (55)
16:07:08.272499 IP pdns1.ultradns.net.domain > router.athome.net.11939: 28605*- 1/5/1 PTR ec2-52-35-215-194.us-west-2.compute.amazonaws.com. (231)
16:07:08.875087 IP router.athome.net.57795 > ns-1986.awsdns-56.co.uk.domain: 1369% [1au] A? shavar.prod.mozaws.net. (51)
16:07:08.876142 IP router.athome.net.13163 > ns-101.awsdns-12.com.domain: 19146% [1au] A? 194.199.251.205.in-addr.arpa. (57)
16:07:08.894535 IP ns-1986.awsdns-56.co.uk.domain > router.athome.net.57795: 1369*- 6/4/1 A 34.211.202.13, A 54.187.144.104, A 52.34.90.23, A 52.89.170.53, A 52.33.113.226, A 54.200.76.177 (284)
16:07:08.895002 IP router.athome.net.11432 > ns-614.awsdns-12.net.domain: 8910% [1au] AAAA? shavar.prod.mozaws.net. (51)
16:07:08.909744 IP ns-101.awsdns-12.com.domain > router.athome.net.13163: 19146*- 0/1/1 (138)
16:07:08.910122 IP router.athome.net.6396 > ns-1372.awsdns-43.org.domain: 37693% [1au] PTR? 194.199.251.205.in-addr.arpa. (57)
16:07:08.917137 IP ns-614.awsdns-12.net.domain > router.athome.net.11432: 8910*- 0/1/1 (136)
16:07:08.919158 IP ns-1372.awsdns-43.org.domain > router.athome.net.6396: 37693*- 1/4/1 PTR ns-1986.awsdns-56.co.uk. (229)
16:07:08.919453 IP router.athome.net.58240 > ns-1372.awsdns-43.org.domain: 43454% [1au] PTR? 194.199.251.205.in-addr.arpa. (57)
16:07:08.929974 IP ns-1372.awsdns-43.org.domain > router.athome.net.58240: 43454*- 1/4/1 PTR ns-1986.awsdns-56.co.uk. (229)
2. i´m using squid as an transparent proxy. is it correct to use the dnscrypt proxy field "Proxy" ?
i set this to 127.0.0.1:3130
this is the ICP Port
-
I have to think about transparent proxy ... sorry :(
-
I have to think about transparent proxy ... sorry :(
I made a Feature request on github!
https://github.com/opnsense/plugins/issues/1014 (https://github.com/opnsense/plugins/issues/1014)
Regards rene
-
I have to think about transparent proxy ... sorry :(
one last question!
Before i installed dnscrypt, i created a rule on each of my lan nets that the dns port 53 to my router (192.168.1.1) explicitly allowes.
Can I leave the rule for dnscrypt like this? (see my screenshot)
-
When you do port forward it's not needed
-
When you do port forward it's not needed
only problem is, if i disable the rule i´m not able anymore to make an nslookup to my router.athome.net adress.
it says unknow. if i enable the rule everything is fine again!
regards, rené
-
Check the logs in etc folder of dnscrypt
-
Check the logs in etc folder of dnscrypt
query.log
[2018-11-23 23:59:28] 192.168.1.6 1.1.168.192.in-addr.arpa PTR NXDOMAIN
[2018-11-23 23:59:28] 192.168.1.6 1.1.168.192.in-addr.arpa PTR NXDOMAIN
dnscrypt-proxy.log
nothing relevant
nslookup windows cmd: (german)
C:\>nslookup 192.168.1.1
Server: UnKnown
Address: 192.168.1.1
*** 192.168.1.1 wurde von UnKnown nicht gefunden: Non-existent domain.
-
i figured out that even if i enable the lan to 192.168.1.1 port 53 dns rule it´s not working.
it only works if i disable the nat rule from dnscrypt.
this is the nat rule (screenshot)