OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Amanaki on January 13, 2019, 04:19:12 am

Title: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 13, 2019, 04:19:12 am
Hi all,

So, I am NOT using the new os-dnscrypt-proxy plugin as it does not yet support DNS blocking.

That said, I installed v2 manually and confirm it is working as expected on my LAN network.

However, I have a number of VLANs and I want to know what/if any firewall rules I need to place to cater for dnscrypt-proxy.

I have enclosed screenshot of what I have so far on one of the VLANs but cannot confirm it is working.

Help anyone?

Thanks,
Amanaki
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 13, 2019, 07:32:25 am
Do you see blocked packets related to dnscrypt?
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 13, 2019, 11:02:11 am
@mimugmail - No, nothing is being blocked at all.

Do I even need to create these rules on each interface?

Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 13, 2019, 01:28:28 pm
Yep, or daemon listens on all these interfaces?
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 13, 2019, 01:34:25 pm
Ok, thankyou.

So I have attached screenshot rules for one of my VLAN networks.

Care to look over it for me and confirm its okay?

Also, I run three separate VPN clients. Do I need the same for them?

Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 13, 2019, 03:26:07 pm
The question is which DNS server do the clients in other networks query?
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 13, 2019, 03:32:36 pm
Please excuse me mimugmail..

"The question is which DNS server do the clients in other networks query?"

I'm not following you. What do you mean by this question?

I do not have any DNS servers configured inside System -> Settings -> General.

In unbound, I have the my interfaces selected as per the attached screenshot and for outgoing network interfaces I have selected localhost.

I have the following settings in unbound -> additional config:

server:
   do-not-query-localhost: no
   private-domain: "plex.direct"

forward-zone:
        name: "."       
        forward-addr:127.0.0.1@5353

Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 14, 2019, 02:57:11 am
Help with my question anyone?
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 14, 2019, 06:15:04 am
Can you check the logs of dnscrypt via CLI? There should be something.
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 14, 2019, 08:21:32 am
Ok, below I have enclosed dnscrypt-proxy daemon logs and test outputs with CLI.

Code: [Select]
[2019-01-14 14:08:44] [NOTICE] dnscrypt-proxy 2.0.19
[2019-01-14 14:08:44] [NOTICE] Loading the set of blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-blacklist]
[2019-01-14 14:08:45] [NOTICE] Loading the set of forwarding rules from [/usr/local/etc/dnscrypt-proxy/forwarding-rules]
[2019-01-14 14:08:45] [NOTICE] Loading the set of IP blocking rules from [/usr/local/etc/dnscrypt-proxy/domains-ip-blacklist]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [UDP]
[2019-01-14 14:08:45] [NOTICE] Now listening to 127.0.0.1:5353 [TCP]
[2019-01-14 14:08:46] [NOTICE] [cloudflare] OK (DoH) - rtt: 31ms

Code: [Select]
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:16] 127.0.0.1 s.youtube.com A REJECT
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.c10r.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 mqtt-p4.c10r.facebook.com A PASS
[2019-01-14 18:10:36] 127.0.0.1 cdn.fbsbx.com A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 scontent.xx.fbcdn.net A PASS
[2019-01-14 18:10:37] 127.0.0.1 fbsbx.com DS PASS


Code: [Select]
root@OPNsense:~ # ps ax | grep dnscrypt
50066  -  Is     0:00.00 daemon: /usr/local/sbin/dnscrypt-proxy[50151] (daemon)
50151  -  I      1:32.52 /usr/local/sbin/dnscrypt-proxy -config /usr/local/etc/
71046  0  S+     0:00.01 grep dnscrypt

Code: [Select]
root@OPNsense:~ # drill -p 53 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 926
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   508     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 241 msec
;; SERVER: 127.0.0.1
;; WHEN: Redacted
;; MSG SIZE  rcvd: 46


Code: [Select]
root@OPNsense:~ # drill -p 5353 opnsense.org @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8169
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense.org.        IN      A

;; ANSWER SECTION:
opnsense.org.   599     IN      A       81.171.2.181

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 18 msec
;; EDNS: version 0; flags: ; udp: 1452
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 17:59:46 2019
;; MSG SIZE  rcvd: 69


Code: [Select]
root@OPNsense:~ # dnscrypt-proxy -resolve dnscrypt.me
Resolving [dnscrypt.me]

Domain exists:  yes, 2 name servers found
Canonical name: dnscrypt.me.
IP addresses:   104.31.74.114, 104.31.75.114
TXT records:    v=spf1 include:spf.messagingengine.com ?all
Resolver IP:    194.132.32.23 (dns2.ipredator.se.)

Code: [Select]
root@OPNsense:~ # drill -p 53 google.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31403
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     599     IN      A       216.58.199.78

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 53 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Jan 14 18:06:34 2019
;; MSG SIZE  rcvd: 44
root@OPNsense:~ #

Can you spot anything out of the ordinary?

Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 14, 2019, 09:08:37 am
This seems very good, then it must be something with the forwarding of Unbound to dnscrypt.
Can you check Unbound logs too?
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 14, 2019, 10:37:32 am
I am not familiar with any CLI commands for unbound, but I assume this is what you were after.

Code: [Select]
unbound: [21146:1] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:2] info: generate keytag query _ta-4f66. NULL IN
unbound: [21146:0] info: start of service (unbound 1.8.3).
unbound: [21146:0] notice: init module 1: iterator
unbound: [21146:0] notice: init module 0: validator
unbound: [86555:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
unbound: [86555:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
unbound: [86555:0] info: service stopped (unbound 1.8.3).
unbound: [86555:0] info: start of service (unbound 1.8.3).
unbound: [86555:0] notice: init module 1: iterator
unbound: [86555:0] notice: init module 0: validator
unbound: [86555:0] notice: Restart of unbound 1.8.3.

Below are settings I have for dnscrypt-proxy and unbound. I can post my entire .toml file if you need as well. Note I use Plex and do not use any IPv6 at all.

Dnscrypt-proxy .toml  file includes the following for forwarding rules:

Code: [Select]
lan 127.0.0.1
10.in-addr.arpa 127.0.0.1
192.in-addr.arpa 127.0.0.1
254.169.in-addr.arpa 127.0.0.1

Unbound additional config includes:

Code: [Select]
server:
   do-not-query-localhost: no
   private-domain: "plex.direct"

forward-zone:
        name: "."       
        forward-addr:127.0.0.1@5353

The thing that really strikes me about this is when I was an OpenWRT user, I always got dnsleak tests back with the country I was connected to. For example, if my server selection in .toml file was set to cloudflare, then if I connected my vpn client to NL for instance, the dnsleak test would show the cloudflare server as being in NL as opposed to my home country.

Thanks again for taking the time to help out. I am keen to get to the bottom of this issue.

Amanaki
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 14, 2019, 12:03:28 pm
First you have to check if the forwarding works. Use an internal client with a dns request to a domain which is not cached. If forwarding from Unbound to dnscrypt works you should see it in the logs of dnscrypt. If yes, then we can go further ...
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 14, 2019, 10:33:39 pm
Services -> Unbound DNS -> General -> Enable Forwarding Mode = UNCHECKED

Ok, so my interpretation your instruction is to use a windows client on my network, flush its dns cache, then visit a website, is that correct?

I did as above using dnsprivacy.org then checked my dnscrypt-proxy logs and found the following entries:

Code: [Select]
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:57] 127.0.0.1 org DNSKEY PASS
[2019-01-14 08:18:57] 127.0.0.1 org DNSKEY PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org DS PASS
[2019-01-14 08:18:57] 127.0.0.1 dnsprivacy.org A PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY PASS
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org AAAA SYNTH
[2019-01-14 08:18:58] 127.0.0.1 dnsprivacy.org DNSKEY FORWARD

On another note, I think I have stumbled across an issue where a file is missing inside my configuration.

In the install notes, there is a reference to a config file in the following path:

'etc/rc.conf'

Using winscp, I cannot find it at all...

The dnscrypt-proxy files I have are:

'usr/local/etc/rc.d'
'usr/local/etc/dnscrypt-proxy/dnscryptproxy.toml'

I initially installed 18.7.6 and not sure if this was caused by upgrading to the current version being 18.7.10.

Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 15, 2019, 07:27:30 am
# cat /etc/rc.conf.d/dnscrypt_proxy
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_suexec="YES"
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 15, 2019, 11:24:57 pm
No such file or directory!

Code: [Select]
root@OPNsense:~ # cat /etc/rc.conf.d/dnscrypt_proxy
cat: /etc/rc.conf.d/dnscrypt_proxy: No such file or directory
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: mimugmail on January 16, 2019, 05:56:17 am
Yes, this is the file you have to add what you asked for.
Title: Re: Firewall Rules for DNSCrypt Proxy v2
Post by: Amanaki on January 16, 2019, 02:39:38 pm
Ok. I will add this on downtime and see if it makes any difference to my DNS results.

Thanks.