OPNsense Forum
English Forums => General Discussion => Topic started by: Taomyn on June 26, 2020, 04:04:21 pm
-
My current network is set up that I have internal servers providing DHCP and DNS services to my LAN, that then forward requests to my firewall via my Pi-Hole. This is all working really well except for one minor thing: the firewall cannot reverse lookup up any internal machines so things like the firewall log in the web console only ever shows the IP address. Internal domain lookups are fine as I have got that set up in the overrides section of Unbound, but the reverse ones are not.
What's the correct way in Unbound to set up the reverse lookup for my internal subnets? I can see the "Local Zone Type" is set to "Transparent", but I cannot fathom what to change it to and where configure the forwarder.
-
I'm in the same situation!
Opnsense acts as DHCP and DNS.
Configured following this guide: https://homenetworkguy.com/how-to/configure-dns-opnsense-pihole/
Also I have a Linksys Mesh router in bridge mode connected to opnsense. It generates a lot of PTR request that is showing like xx.xx.xx.xx.in-addr.arpa in my pi-hole web interface.
-
Hi Taomyn,
did you resolved this iussue? I didn't found anything about it... Thank you in advance!
My current network is set up that I have internal servers providing DHCP and DNS services to my LAN, that then forward requests to my firewall via my Pi-Hole. This is all working really well except for one minor thing: the firewall cannot reverse lookup up any internal machines so things like the firewall log in the web console only ever shows the IP address. Internal domain lookups are fine as I have got that set up in the overrides section of Unbound, but the reverse ones are not.
What's the correct way in Unbound to set up the reverse lookup for my internal subnets? I can see the "Local Zone Type" is set to "Transparent", but I cannot fathom what to change it to and where configure the forwarder.
-
Hi Taomyn,
did you resolved this iussue? I didn't found anything about it... Thank you in advance!
No, no-one else replied so still waiting on an answer
-
I havent tested this but I believe you would go to overrides and then add a domain override.
The domain to add would be something like:
1.168.192.in-addr.arpa
(this would specify 192.168.1.x)
and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).
I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.
-
Thank you allebone.
I havent tested this but I believe you would go to overrides and then add a domain override.
The domain to add would be something like:
1.168.192.in-addr.arpa
(this would specify 192.168.1.x)
and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).
I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.
I have to setup the override in OPNsense, right? And nothing in pi-hole local DNS section?
Thank you!
-
I'm afraid it doesn't seem to work, I still only get the IP - I tried restarting the Unbound service and it still did the same.
I havent tested this but I believe you would go to overrides and then add a domain override.
The domain to add would be something like:
1.168.192.in-addr.arpa
(this would specify 192.168.1.x)
and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).
I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.
-
I have also tried, but not working. Still showing (reverse) IPs and a lot of PTR requests.
-
Please can you show me how you have tested that your dns server (pihole?) you are using in the override setting of unbound is able to reply with a ptr record? Eg: a screenshot from a client using nslookup against the dns server where the ptr records reside showing it give an authoritative answer to a requested ptr record.
-
I have also tried, but not working. Still showing (reverse) IPs and a lot of PTR requests.
Are you saying you now see ptr requests from inbound now, on your dns server (pihole).
If so then unbound was correctly configured. If pihole does not reply with the correct reverse record answer then you must explain why pihole is unable to give the answer to the dns query when requested. This is similar to my post above asking that you check pihole can actually do this.
-
Hi,
I did not hear back regarding this. Please can you do the steps like the below screenshot against the dns server that you expect the ptr records to be held and let me know.
Example commands to type highlighted in yellow, expected answer example in red.
Kind regards,
P
-
Thank you allebone, I've made nslookup as you told and I have same results as yours with my IPs.
DNS is my pi-hole and it resolves hostnames correctly. (And currently I have no overrides configured...)
-
Thank you.
I setup a windows dns server and unbound to test on opnsense. I also had an issue until I found this option here :
Once I set to be able to forward queries out of the lan interface my opnsense running unbound could resolve ptr records for me by forwarding the query to the windows dns server and querying the ptr records.
Please double check your config as I believe I have confirmed it can work.
Pete
-
Perfect! last question: do I have to set Overrides or not with this configuration enabled?
Thank you.
I setup a windows dns server and unbound to test on opnsense. I also had an issue until I found this option here :
Once I set to be able to forward queries out of the lan interface my opnsense running unbound could resolve ptr records for me by forwarding the query to the windows dns server and querying the ptr records.
Please double check your config as I believe I have confirmed it can work.
Pete
-
Yes the domain override is telling the unbound server where to go and query for that specific domain, in this case the domain is a ptr reverse lookup domain, so without the override unbound will simply query whatever is configured in your forwarders section or use root hints if you query that way, both which cannot provide an authoritative answer to your query of an internal record.
Edit : if you set your forwarder or dns server for opnsense to be pihole then it would work without an override but I would advise against such a setup as the firewall should be able to resolve dns without pihole working to ensure services that rely on dns (sensei etc) to function in the event of an outage with pihole or error and also because blocking these services from accessing domains by way of a filter may have undesirable effects. You should trust the firewall to not need filtering or alternatively use a product you do trust. The firewall should be able to sort itself out essentially without relying on a piece of internal equipment to be working perfectly.
Just fyi on my network I have opnsense unbound set to use 1.1.1.1 as a forwarder and an internal DNS server that client nodes use and provides dns filtering - that dns server gets its answers from unbound running on the opnsense. On opnsense I redirect any queries on port 53 using outbound nat to the internal dns server except for the source ip of the firewall and the ip of the internal dns server, so their queries do not get looped back. This means anyone changing their dns server to either the opnsense firewall or any external IP are silently having their requests directed back to the internal dns filter server. An alert is then flagged on my opnsense. Currently I have found it n my network a roku tv and an ip camera that had hardcoded dns servers trigger this alert. I also block outbound traffic to known doh servers. Currently the only app that has triggered an alert to try bypass dns filtering by querying hardcoded external doh servers is the app ‘tiktok’ which I then subsequently blocked all of bytedances servers on the dns level so the apps do not function.
Final thing I will say is that I dont agree with the general consensus that using 1.1.1 or some other public dns is a privacy concern if your alternative is to use toot hints with unbound. Or what I mean is using root hints does not solve the privacy concern imo. If you obscure your DNS and then turn right around to your ISP and say ‘please connect me to this IP’ then you have not solved the privacy issue and have simple made your dns queries take longer. For this reason I dont use root hints and use 1.1.1.1 which is very fast.
To obscure your traffic a vpn provider who does not log would be required but I dont know how to ensure that a vpn provider is actually doing what they say. For this reason I believe its better to simply know all you do on the internet is logged and there is no real privacy unless you are illegally compromising servers on the internet and proxying your traffic through them and clearing all the logs automatically yourself and somehow making sure you dint get caught. I dont see any solution as really viable in the real world so it seems better to me to simply understand that public internet = public space. People are allowed to look at what you do in public when you walk to the shops. Same on the internet.
-
Very interesting! I will study how to do this because I'm not so expert... Thank you so much for your help both in configuring and understanding how it works! I hope to make it as better I can.
Just fyi on my network I have opnsense unbound set to use 1.1.1.1 as a forwarder and an internal DNS server that client nodes use and provides dns filtering - that dns server gets its answers from unbound running on the opnsense. On opnsense I redirect any queries on port 53 using outbound nat to the internal dns server except for the source ip of the firewall and the ip of the internal dns server, so their queries do not get looped back. This means anyone changing their dns server to either the opnsense firewall or any external IP are silently having their requests directed back to the internal dns filter server. An alert is then flagged on my opnsense. Currently I have found it n my network a roku tv and an ip camera that had hardcoded dns servers trigger this alert. I also block outbound traffic to known doh servers. Currently the only app that has triggered an alert to try bypass dns filtering by querying hardcoded external doh servers is the app ‘tiktok’ which I then subsequently blocked all of bytedances servers on the dns level so the apps do not function.
-
Yup good luck thats the best way to learn, slowly add more and more as you find a need to do so and remove things that you thought you needed but found that actually you did not when experimenting on your home network :)
-
It still doesn't work for me. I did think it could be the custom options I have set in Unbound to direct external lookups to DNSCrypt-Proxy, but it never receives them and even when I add the overrides to it as well it doesn't work.
-
Please post a screenshot of the overrides. It is working for me. I assume 192.168.1.1 is the opnsense.
-
As requested
-
I agree the .11 override looks correct. Would you happen to have any rule on the firewall that could interfere or prohibit 192.168.1.1 from reaching the dns server you have configured in overrides? EG: a nat redirect rule on port 53 to block anything not querying your pihole etc? Also is the pihole the authoritative server for the ptr records or does it in turn forward on the requests somewhere else (the dhcp server?) to get the answers? If it does forward please use the override section DNS server to be the dns server creating the ptr records (eg if 192.168.1.11 forwards a ptr request to 192.168.1.2 please use 192.168.1.2 in override).
-
reason I am asking is I saw on a forum there is an option in pihole for "Never forward reverse lookups for private IP ranges". Im not clear what this option does, but if Pihole is not authoritative then it wont forward... I think? Please ensure the DNS server you set in overrides is the authoritative one, not an intermediate eg: pihole if it is not creating the ptr records.
-
I do have a rule but it's set to allow the IPs in the second screen shot, but as you can see from the first one I can perform lookups from the firewall to one of the DNS servers.
The two IPs 192.168.1.11 and 192.168.1.12 are the DNS servers on the two Windows domain controllers so Pi-Hole has nothing to do with the issue, and yes both servers are authoritative for my domain of course.
-
Hmm I am struggling to think of a reason it does not work for you.
On the windows DNS server .11 I am assuming that under 'reverse lookup zones' there exists a domain 1.168.192.in-addr.arpa and that in this zone various records you query exist as either static or dynamic addresses based on how they were registered.
I must ask you to look into this further. The response you posted for one of the ptr records is not what I expect.
Response you posted: 192.168.1.83 ----> Google-Home-Mini.
Response expected on a domain:
192.168.1.83 ----->Google-Home-Mini.MyCorporation.Com
Why does the windows DNS server not auto register the ptr record correctly on behalf of your clients joined to the domain? Alternatively can you change the ptr record for the Google home mini device to be static with the domain included? I have checked my DNS zone and the domain part is included on the records either automatically, or statically by my own configuration.
Also is root@bart the opnsense server? I am not clear as I do not know your network.
-
You will not see my full domain as I don't want published publicly on this forum, but I can assure you the full domain is being reported back on each test. I thought this time not to pixelize the whole domain to make it clearer it was being redacted.
And yes root@bart is my OpnSense firewall, it's the command-shell prompt. It's a dedicated physical machine.
-
I understand, no problem. Please find attached my config for unbound to compare to yours. Also a test showing it works.
Can you post if possible your unbound.conf so I can review for differences? My network is 192.168.2.0/24 and I query from a machine with an ip of 192.168.2.22 to 192.168.2.2 (Ip of opnsense with unbound configured).
Pete
-
Im just going to get some lunch so wont be able to reply for an hour. Hope thats ok :)
-
No worries, it's 19:30 here and doing some remote working before I go to sleep.
-
What happened did you compare the configs?
-
Im so sad we never found out what happened :(
-
So had a similiar issue, I wanted to use my wifiap router to resolve the wifi clients PTR records back to the opnsense.
opnsense > wifiap > wifi client ptr
Turns out unbound blocks by default any local-zone that it does not know about.
So in opnsense 20.7 and later, you need to setup the domain overrides:
as an example:
wifi being the domain forwarded to the wifiap router
and then the PTR address record so to pick up the wifi clients records.
wifi 192.168.10.3 wifi domain on AP
10.168.192.in-addr.arpa 192.168.10.3 WIFIAP LAN2G PTR 192.168.10
Then in the unbound 'General section', 'Custom options', add the 'local-zone' of the PTR records
local-zone: "10.168.192.in-addr.arpa" transparent
Then the PTR record will be queried to the forwarding dns server aka the wifiap router.
-
Then in the unbound 'General section', 'Custom options', add the 'local-zone' of the PTR records
local-zone: "10.168.192.in-addr.arpa" transparent
Then the PTR record will be queried to the forwarding dns server aka the wifiap router.
When I add this after adding the overrides, the service no longer starts, I'm on OPNsense v21.
-
Then in the unbound 'General section', 'Custom options', add the 'local-zone' of the PTR records
local-zone: "10.168.192.in-addr.arpa" transparent
Then the PTR record will be queried to the forwarding dns server aka the wifiap router.
When I add this after adding the overrides, the service no longer starts, I'm on OPNsense v21.
Mine looks like this
server:
rrset-roundrobin: yes
local-zone: "10.168.192.in-addr.arpa" transparent
Works fine for me. You have no space between "transparent"
-
Works fine for me. You have no space between "transparent"
No it's there, just the font being used in the GUI makes it difficult to see. I re-entered the line and it was still the same and the service refused to start.
What do you have for the "Local Zone Type" above as I wonder if that is conflicting?