OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: CJ on July 08, 2020, 09:23:09 pm

Title: Block connection to IPs which are not in DNS cache
Post by: CJ on July 08, 2020, 09:23:09 pm
Is this possible in OPNSense?  With the advent of DoH I want to prevent all connections to IPs that have not been resolved by the local DNS cache.

I looked through the settings and I didn't see anything that would do this.

Thanks.
Title: Re: Block connection to IPs which are not in DNS cache
Post by: AndrewBriggs on November 30, 2020, 11:25:20 am
https://writemyessay.onl (https://writemyessay.onl/)

You need to go to the DNS Server settings, select Properties and on the Interfaces tab, explicitly select only those addresses to which you want to accept dns requests.

Title: Re: Block connection to IPs which are not in DNS cache
Post by: CJ on March 14, 2021, 06:06:49 pm
https://writemyessay.onl (https://writemyessay.onl/)

You need to go to the DNS Server settings, select Properties and on the Interfaces tab, explicitly select only those addresses to which you want to accept dns requests.

That's not the problem I'm trying to solve.  I want everyone on the network to use my DNS server.

What I'm trying to prevent is DoH lookups or hard coded IPs.  Anything doing that on my network is up to something.
Title: Re: Block connection to IPs which are not in DNS cache
Post by: Verda5 on December 02, 2021, 11:33:51 am
Is this possible in OPNSense?  With the advent of DoH I want to prevent all connections to IPs that have not been resolved by the local DNS cache.

I looked through the settings and I didn't see anything that would do this (https://gfbninja.com).

Thanks.
To approve domains ex. example.com only approve the IPs of the DNS servers that have that domain. You can do this by going to "DNS Server Settings", selecting "Properties" on the "Interfaces Tab", and then explicitly allow only those DNS Servers which are hosting that domain to respond content requests.
Title: Re: Block connection to IPs which are not in DNS cache
Post by: allebone on December 02, 2021, 02:06:52 pm
This sounds like a problem for Zenarmor (sensei) to solve, not for opnsense. You should ask them if they can or have plans to do this.
Title: Re: Block connection to IPs which are not in DNS cache
Post by: CJ on December 26, 2021, 08:19:55 pm
This sounds like a problem for Zenarmor (sensei) to solve, not for opnsense. You should ask them if they can or have plans to do this.

Maybe.  It's on my list to check out but I haven't gotten to it yet.

My initial idea was for OPNSense to keep a list of resolved IPs from Unbound and only allow outbound access to those IPs via a firewall rule.