OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: tamer on February 08, 2016, 02:05:04 pm

Title: [SOLVED] IDS/IPS DNS issues with LibreSSL
Post by: tamer on February 08, 2016, 02:05:04 pm

After enabling LibreSSL and then trying to enable IDS/IPS with some rules the local (firewall) DNS resolver stops responding to any request even local host. However the issue might not be specific to the DNS resolvers as using dig with explicitly using another resolver still fails when IPS is enabled. On other hosts using an explicit DNS resolver works.

Firewall:
root@router:~ # dig google.com

; <<>> DiG 9.10.3-P3 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached


root@router:~ # dig @8.8.8.8 google.com

; <<>> DiG 9.10.3-P3 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Other hosts:
$ dig google.com

; <<>> DiG 9.8.3-P1 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached


$ dig @8.8.8.8 google.com

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9677
;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.         IN   A

;; ANSWER SECTION:
google.com.      299   IN   A   93.62.101.241
google.com.      299   IN   A   93.62.101.207
google.com.      299   IN   A   93.62.101.222
google.com.      299   IN   A   93.62.101.211
google.com.      299   IN   A   93.62.101.251
google.com.      299   IN   A   93.62.101.245
google.com.      299   IN   A   93.62.101.236
google.com.      299   IN   A   93.62.101.230
google.com.      299   IN   A   93.62.101.249
google.com.      299   IN   A   93.62.101.237
google.com.      299   IN   A   93.62.101.215
google.com.      299   IN   A   93.62.101.221
google.com.      299   IN   A   93.62.101.219
google.com.      299   IN   A   93.62.101.226
google.com.      299   IN   A   93.62.101.234

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb  8 14:01:09 2016
;; MSG SIZE  rcvd: 268


I have tested this issue will 16.1-16.1.2.

 (PS I don't think that that emoji should be interpreted  ;))

Title: Re: IDS/IPS DNS issues with LibreSSL
Post by: tamer on February 12, 2016, 07:23:44 pm

This is a non-issue I did not realise that after disabling hardware CRC checks I needed to reboot the router, it works as expected.

Title: Re: [SOLVED] IDS/IPS DNS issues with LibreSSL
Post by: franco on February 15, 2016, 07:55:32 am

Hi tamer, thanks for checking back on this issue. :)