OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: dwasifar on October 11, 2021, 04:40:41 pm

Title: Intrusion detection is blocking some traffic for no visible reason
Post by: dwasifar on October 11, 2021, 04:40:41 pm

I notice recently that some sites (linode.com and nerdwallet.com for example) are inaccessible from a desktop browser while intrusion detection is enabled.  Turn it off, they come right up.  From a mobile device on the same network, they come right up.  But from a desktop browser with detection enabled, no dice. There is nothing relevant to those connection attempts in the alert log.  I've tried to narrow down what ruleset might be responsible by turning off rulesets in groups, and it doesn't look like it matters what rules are active.

Anyone else have this problem?

Title: Re: Intrusion detection is blocking some traffic for no visible reason
Post by: dwasifar on October 12, 2021, 08:35:01 pm

I discovered Unbound is playing a role in this too.  Not sure what the interaction is between Unbound and intrusion detection, but I did eventually figure out a few things.

First, those sites that were having problems had unusual dig results:

Code: [Select]

jon@Oberon:~$ dig A www.nerdwallet.com

; <<>> DiG 9.16.1-Ubuntu <<>> A www.nerdwallet.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2362
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.nerdwallet.com. IN A

;; ANSWER SECTION:
www.nerdwallet.com. 40 IN CNAME www.nerdwallet.com.cdn.cloudflare.net.
www.nerdwallet.com.cdn.cloudflare.net. 102 IN A 104.18.22.225
www.nerdwallet.com.cdn.cloudflare.net. 102 IN A 104.18.23.225

;; Query time: 59 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Oct 12 13:28:12 CDT 2021
;; MSG SIZE  rcvd: 130
linode.com also resolves to a CNAME for Cloudflare.

Second, I remembered that on my mobile device, I have a VPN-based ad blocker which redirects DNS directly to Cloudflare, so a DNS caching problem at the OPNsense gateway would not affect it, and that's why the mobile device worked.

I disabled Unbound and activated dnsmasq in its place, and everything immediately went to normal.

So I'm still not sure what the actual issue was, but it looks like it was primarily Unbound and not intrusion detection.