OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: allebone on November 30, 2020, 03:33:16 pm
-
Sensei continuously asks my DNS server to resolve 251.0.0.224.in-addr.arpa every 20-30 seconds.
What answer is Sensei expecting to this? I ended up adding 251.0.0.224.in-addr.arpa to the denylist but it still queries. If I stop Sensei from running the queries stop so I know for sure its Sensei.
I dont understand what answer it is expecting to receive to this query and it fills the logs of my DNS filter. Can I prevent Sensei from querying this record continuously? I dont really need sensei to be mdns aware as i have all my DNS records correctly published normally on my DNS server.
Kind regards
Peter
-
Hi Peter,
Quick question to confirm: do you have "Perform real-time DNS reverse queries for local IP addresses" in Reporting & Data?
-
Hello,
Thank you for your reply.
I have checked and yes I do have this option, are you suggesting I disable it?
Kind regards
Peter
-
Hi Peter,
Yes, it provides to query names. So if you want to stop this query please disable it.
-
@allebone, thanks for the reply.
@sy, I guess @allebone wants multicast communication to be excluded from realtime local domain queries. I think we should provide this as an option.
-
@allebone, thanks for the reply.
@sy, I guess @allebone wants multicast communication to be excluded from realtime local domain queries. I think we should provide this as an option.
Hello,
Yes I am asking to exclude mdns only, as it is querying my dns server for a record I cannot provide an answer to.
-
Why don't you make your DNS server answer for that PTR record?
-
Why don't you make your DNS server answer for that PTR record?
My network range is 192.168.2.0/24. All computers have a 192.168.2.x address on my network.
What machine name and answer is valid to the request for the ptr record of 251.0.0.224.in-addr.arpa on my network? I do not know the answer.
It seems like a broadcast request. Why would 1 single machine name be the answer to a broadcast? What exactly am I 'fixing' by providing a false reply? I already block this record on the DNS server, Sensei simply keeps requesting that record continuously. I have no idea what answer it wants, or if providing an answer - even a fake one - would make any difference to that.
Kind regards
Peter
-
It's the mDNS multicast group as defined in RFC 6762:
https://en.wikipedia.org/wiki/Multicast_DNS
A suggested PTR record is
251.0.0.224.in-addr.arpa. IN PTR mdns.mcast.net.
You won't get that traffic off your (W)LAN with any modern device, so if you prefer to have Sensei doing PTR lookups, just add the one above to your DNS server and all is well ...
-
I dont agree with the logic of providing a false answer to a DNS query. Why would I tell a computer that an IP can be reached on a DNS name of mdns.mcast.net. This is a public DNS name.
You can ask any question you like to a DNS server, it does not mean the question is valid or makes sense to ask.
My preference will be to disable Sensei asking this question. The question is not meaningful. For now I will disable real time DNS enrichment as there is not an alternative. Will revisit in the future if this changes.
Pete
-
It's not a false answer, it's the official FQDN for this multicast address set in RFC 6762. But your choice ...
-
It's not a false answer, it's the official FQDN for this multicast address set in RFC 6762. But your choice ...
A fair point. I was unaware this was the official stance. I checked the wiki you posted and it did not mention this and this was the first time you had stated this.
-
It's in the RFC that I repeatedly mentioned. ;)
Please report back if that fixes your problem. I would be interested if Sensei caches a successful DNS query or if it continues to query repeatedly for every packet - which would be a rather suboptimal design ...
-
Your solution was acceptable, I am not able to determine if Sensei will continue to ask for the record or not as I added the answer to domain overrides in unbound which bypasses my DNS blocker I was seeing the requests on.
The DNS override section is configured as follows:
Host Overrides
Host Domain Type Value Description
251 0.0.224.in-addr.arpa A 224.0.0.251 ptrmdns
mdns mcast.net A Alias for 251.0.0.224.in-addr.arpa mdnsptrrecord
The second line is an alias.
As the server itself now knows an answer to the DNS request
251.0.0.224.in-addr.arpa ----> 224.0.0.251 ----> mdns.mcast.net
I do not see this query hit my other DNS server. So it is resolved. I am not able to determine if Sensei continues to ask as I mentioned as unbound does not log the queries against it (unbound can only be accessed by the firewall and the DNS server and other PC's on my network are prohibited to query it so logging is unneeded in my use case).
Kind regards
Peter
-
Hi Peter, @pmhausen,
The moment Sensei gets a positive response from the DNS server, it caches the response. So you should be all good.
We'll have "exclude mdns queries" option in later releases. @sy fyi.