OPNsense Forum
English Forums => General Discussion => Topic started by: Inxsible on March 03, 2021, 07:18:05 am
-
I have set up my firewall to use Unbound resolver and i don't forward DNS to any other server. I have NOT setup any DNS servers in System --> Settings -->General.
(https://i.imgur.com/Zp99BXk.png)
However I still see in the firewall logs the WAN IP connecting to 8.8.8.8 and port 53 for DNS. Where would this DNS server (8.8.8.8 ) be setup so that I can force everything to go through Unbound resolver?
(https://i.imgur.com/O2uqOvX.png)
-
Got any Android devices?
https://www.androidpolice.com/2020/03/26/make-android-use-dns-server-choice/ (https://www.androidpolice.com/2020/03/26/make-android-use-dns-server-choice/)
-
Got any Android devices?
https://www.androidpolice.com/2020/03/26/make-android-use-dns-server-choice/ (https://www.androidpolice.com/2020/03/26/make-android-use-dns-server-choice/)
Yes, but they all go out via my VPN client gateway -- not via my ISP WAN (at least when they are on my wifi) I do have a Roku which goes out via ISP (because Netflix/Amazon Prime doesn't like VPN exit nodes)
Would there be a way to quickly find out which client(on the LAN) is actually making that request to 8.8.8.8 DNS server
-
Only by IP address/Mac
-
Turns out that it is the automatically generated Floating rules that is allowing that traffic. pfSense didn't have any floating rules by default.
how would I disable these Floating rules? I don't see the option to disable or delete next to the auto-generated rules, like we have on the manually created rules.
-
Tried Disable force gateway under Firewal-->Settings-->Advanced which removed 3 of the 17 auto-generated floating rules (WAN DHCP6, WAN DHCP and VPN DHCP) gateway rules but it still didn't remove the rule with the description "let out anything from the firewall host itself"
However that just killed DNS completely for me. I couldn't even visit google.com. Had to un-check the Disable force gateway in order to be visit any website.
Questions:
- Why does Opnsense create these auto-generated floating firewall rules which allow all traffic to pass?
- Is there no way to disable them without losing connectivity?
- Since these floating rules exist, the devices on my network are able to connect to multiple DNS servers - i saw Google DNS, Cloudflare DNS and others being connected to. How would I force all devices to only use the Unbound resolver?
-
I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...
-
How would I force all devices to only use the Unbound resolver?
Just redirect DNS requests not going to your sense:
https://forum.opnsense.org/index.php?topic=9245.0
Remember this will only work for normal DNS requests, but not for DoT or DoH!
-
This does have the sense of an X-Y problem. The focus should be on getting your LAN firewall rules right. Remember by default all traffic is blocked on the internal interfaces unless explicit rules are included to allow it. So regulate the traffic as you want it on the LAN interface - this is also the most efficient way of dropping traffic. The floating rule then falls out of the picture.
-
I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...
I have a similar issue and looking at the log, I can see the source address is the WAN IP, I don't see how to identify the IP address of the client... ???
-
Try putting this in your custom options for unbound, think that's all I did, see very few google addresses in my logs.
ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6
You should only see WoodyNet, Cloudflare and your own IP then in a DNS leak test. Of course, if you want total privacy, use a VPN. Of course this will not stop pesky devices like Chromecast from using 8.8.8.8, but it's on my IOT VLAN anyway, so who cares.
-
I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...
I have a similar issue and looking at the log, I can see the source address is the WAN IP, I don't see how to identify the IP address of the client... ???
Package capture on LAN interface(s). Find out who is contacting 8.8.8.8. But if you block all traffic with target port 53 (except to LAN address of the OPNsense) and use Unbound properly configured you should not see see anything leaving WAN to target port 53.
-
I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...
Not sure if I have a DNS leak --- yet.
dnsleaktest extended test results show me only 1 DNS server -- which is the same IP as my VPN exit point -- on Chromium
dnsleaktest extended test results show me only 1 DNS server -- which is an IP of Cloudflare -- on Firefox.
Not sure why I get different results in different browsers. The above was also happening in my pfSense install. It may be because I do have a Cloudflare DNS account that I use for DNS challenge for Caddy2 reverse proxy which maintains all my Let's encrypt certs for the various services on my network (nextcloud, bitwarden, guacamole etc...)
But why does Chromium show me the VPN address whereas Firefox shows me the Cloudflare IP, I have no idea !!
-
How would I force all devices to only use the Unbound resolver?
Just redirect DNS requests not going to your sense:
https://forum.opnsense.org/index.php?topic=9245.0
Remember this will only work for normal DNS requests, but not for DoT or DoH!
I don't use the Port forward method for restricting DNS, but here the layout I have
LAN + 4 VLANs (WORK, IOT, GUEST, CCTV)
- LAN & GUEST networks exit via the VPN gateway
- WORK and IOT networks exit via the ISP gateway (due to Netflix and Prime having issues when exiting via VPN)
- CCTV has no access to the internet. It can only access my NVR IP on the LAN
Here are the rules that I have set up for individual networks/VLANs:
(https://imgur.com/Ge6VFRK.png)
I have similar rules set up for all other networks. I am only allowing the DNS to the opnsense server. So why is the 8.8.8.8 being contacted in addition to so many other DNS servers?
Here's the firewall log. The label clearly indicates the rule that is allowing that traffic:
(https://imgur.com/1AzX1FZ.png)
One thing that I don't understand is that the 10.8.0.11 is my VPN IP, not my actual WAN/ISP IP. so why is the interface listed as WAN?
I found that rule was the auto-generated rule set up under the Floating Rules
(https://imgur.com/LCV55EW.png)
So obviously it's allowing that DNS server to be contacted. Which brings me back to the question, why can't I disable/delete the auto-generated rules?
-
OMG...
-
Of course, if you want total privacy, use a VPN. Of course this will not stop pesky devices like Chromecast from using 8.8.8.8, but it's on my IOT VLAN anyway, so who cares.
I do use a VPN but I do network based routing (WORK AND IOT exit the ISP gateway, the rest exit the VPN gateway).
And yes, my Chromecast & Roku are on the IOT network and I don't care about that.
-
OMG...
Care to elaborate???
-
Your Firefox does something strange? Why not have a look there in the first place? What kind of (mis)config of DNS do you use here? Nobody knows your setup, so nobody can really help you.
-
Your Firefox does something strange? Why not have a look there in the first place? What kind of (mis)config of DNS do you use here? Nobody knows your setup, so nobody can really help you.
I just laid out all the rules and my network layout. Is there anything specific that you need to know. Please let me know and I can go find that info.
-
Aren't floating rules applied before the manually set up rules on the individual interfaces?
I don't see anything in my firewall logs that uses the rules that I set up. Everything is passed by the auto-generated Floating rules.
can someone please help me out in blocking this traffic?
-
Your FW rules look all messed up to me. I think you are confused by how the rules work. Have you read the OPNsense docs on firewall rules? You need to have a look at that, particularly to understand rule direction, quick vs non-quick, and logging
Your LAN/VLAN rules need to be applied from the perspective of traffic coming from the relevant subnet into the relevant interface on OPNsense. So rules are applied INto the interface, and have a source of the subnet. If you want to see those rules in the logs, turn on logging for them
You are seeing the floating rule only in the logs because that is the only relevant one with logging turned on. And you are seeing the operation of that rule because two things are happening - packets are coming into OPNsense on the LAN/VLAN interfaces and being processed by the rules that apply there, then they are being NATted and are being passed out of OPNsense on the WAN interface by the floating rule that applies there
-
Your FW rules look all messed up to me.
Can you please explain how they are messed up?
I think you are confused by how the rules work. Have you read the OPNsense docs on firewall rules?
Possibly I am. I have read the Opnsense docs on Rules.
Processing Order (https://docs.opnsense.org/manual/firewall.html#processing-order) indicates that the Floating rules are used before the Interface rules. The note then indicates that Automatic rules have higher priority.
You need to have a look at that, particularly to understand rule direction, quick vs non-quick, and logging
Yeah, the direction was not something that pfSense had, so I will have a look at those again to make sure I have the rules set up correctly
Your LAN/VLAN rules need to be applied from the perspective of traffic coming from the relevant subnet into the relevant interface on OPNsense. So rules are applied INto the interface, and have a source of the subnet. If you want to see those rules in the logs, turn on logging for them
All the rules that I manually created on the individual networks are defined as IN direction.
You are seeing the floating rule only in the logs because that is the only relevant one with logging turned on. And you are seeing the operation of that rule because two things are happening - packets are coming into OPNsense on the LAN/VLAN interfaces and being processed by the rules that apply there, then they are being NATted and are being passed out of OPNsense on the WAN interface by the floating rule that applies there
Yes, I'll enable logging for all the other rules for debugging purpose and see which rules are being applied.
But I am still concerned about the fact that the auto-generated rules that were created trumps all the manual rules that I have. Is that not the case?
-
Your Firefox does something strange? Why not have a look there in the first place? What kind of (mis)config of DNS do you use here? Nobody knows your setup, so nobody can really help you.
This turned out to be a Firefox profile issue. I created a new firefox profile and that correctly gives me the IP of my VPN exit node as my only DNS server in both Chromium & Firefox.
-
But I am still concerned about the fact that the auto-generated rules that were created trumps all the manual rules that I have. Is that not the case?
No. Again, different interfaces. And you are not taking into account quick vs non-quick rules - again, see the docs
-
BTW, pfSense does in fact employ pretty much the same concepts as OPNsense on rule direction etc under the hood, it is just that it does not make as much of that explicit in the GUI. For example, by default pfSense firewall rules on an interface are applied into the interface, because that’s the 99% use case. OPNsense just gives more flexibility if needed
-
But I am still concerned about the fact that the auto-generated rules that were created trumps all the manual rules that I have. Is that not the case?
No. Again, different interfaces. And you are not taking into account quick vs non-quick rules - again, see the docs
I have all my manual rules set up as Quick and direction=IN (which is the default). I also noticed that the auto-generated rules that I was talking about are all Non-Quick and with direction=OUT
Maybe it is just a matter of me reading the log files incorrectly.
When I see an outgoing connection from my WAN IP or my VPN IP to other DNS servers with port 53 -- is that just Unbound contacting the root servers?
When I look at the firewall log with the direction = IN as the search criteria, I only see the Loopback interface and my LAN services connecting to my firewall address on port 53
Thanks for sticking by me... I really appreciate it.
-
Bit hard to tell without seeing all the relevant bits of the setup, packet traces etc (and I don’t want to see them lol). Bear in mind that what unbound is doing depends on whether it is a recursive or forwarding resolver. If recursive, it won’t just be contacting the root servers, but a whole array of nameservers out there as it recursively resolves names. So will you see requests to Google, Cloudflare etc etc
-
Bit hard to tell without seeing all the relevant bits of the setup, packet traces etc (and I don’t want to see them lol). Bear in mind that what unbound is doing depends on whether it is a recursive or forwarding resolver. If recursive, it won’t just be contacting the root servers, but a whole array of nameservers out there as it recursively resolves names. So will you see requests to Google, Cloudflare etc etc
That probably is what it is then. I have unbound set up as a resolver and not a forwarder.
Last question: I know that Automatic rules have higher priority, but are auto-generated Non-Quick Floating rules matched before the Quick rules on any interface?
-
No.
Floating rules are evaluated first, but if it is a non-quick rule then rule evaluation continues to determine if another quick or non-quick rule matches. If none, then the initial non-quick rule is applied. But if a matching quick rule is reached (including on an interface) then evaluation stops and the quick rule is applied. If other non-quick rules are matched, then the last of those is applied.
-
Thanks again @Greenlan
-
I am only allowing the DNS to the opnsense server.
no.
you allow all traffic by "allow iot to any rule". you can try to enable logging on this rule and check logs
Which brings me back to the question, why can't I disable/delete the auto-generated rules?
why do you want to block the request when it is already trying to exit the WAN? block on ingress interface: just block dns-traffic from iot-network to any except "this firewall"
-
block on ingress interface: just block dns-traffic from iot-network to any except "this firewall"
I think the TS don´t want to just block DNS requests to WAN. He wants all DNS requests to be resolved by unbound, even if the devices have hardcoded DNS Servers.
-
I found Google APIs Client Library for PHP as part of the package php82-google-api-php-client.
Could this also be the cause?
-
the "cause" of this was a misconfugration on the firewall rules.