OPNsense Forum
English Forums => General Discussion => Topic started by: SynAck on May 21, 2018, 05:56:47 am
-
So I've got opnsense configured to use OpenDNS for lookups, and I've been shocked to find millions of DNS requests per day hitting the service and originating from my opnsense box. This is for a home nework with less than 20 devices attached; my first thought was that someone's phone or laptop had been popped with a virus or spyware or something and was just making all the requests via opnsense (I have it set as the default DNS server via DHCP).
However, I've reviewed packet captures from my LAN interface and there are no unusual requests showing up from attached devices, and the frequency is relatively low or normal. If I do a packet capture on the WAN interface, though, I get a constant stream of DNS lookups that really look like they're just originating from opnsense itself.
According to OpenDNS, I've been averaging about 1.1 million lookups each day for the past week, which works out to about 46,000 per hour. The vast majority of these look like they are advertising related, but there are some pretty raunchy-looking "adult" domains in there as well. As an example, here's the top 30 from yesterday that OpenDNS blocked:
(https://i.imgur.com/ExEywVL.png)
I downloaded the dnstop application (http://dns.measurement-factory.com/tools/dnstop/ (http://dns.measurement-factory.com/tools/dnstop/)) for a real time view of DNS activity. Here's what it shows for a 60 second period (I've blocked out my IP address and domain):
(https://i.imgur.com/y3jUo6E.png)
The Source address is the same for all of them, and it is my current WAN address. Note the cumulative percentage, that what's showing on the screen is only 18.7% of the total lookups in that 60 seconds.
Anyone have any ideas what might be going on? Is there some kind of adware/spyware/virus stuck in opnsense somewhere? Is there an installed service that's doing these constant lookups? I originally thought it might be related to either the web proxy or tor, but I've disabled them both and the lookups are continuing.
-
Looks like I can answer my own question here. I'll post the solution for posterity in case anyone else ever comes up with this.
I had sort of forgotten that I set up an Alias containing a bunch of domains and IP addresses (a little over 3,000) that I had intended to blacklist. I never ended up using the Alias for anything so I didn't think much of it and figured it was harmless to just leave it sitting there. What I didn't count on is that there is a Python script (update_tables.py) that runs on a given interval and basically refreshes the Alias lists using DNS.
As nearly as I can figure, the default refresh is every five minutes. I'm assuming that my list was long enough that it took close to 5 minutes to complete... which effectively resulted in a never-ending string of DNS updates for sites that I was considering "bad" (advertising, adult, junk, etc). So I'm a victim of my own desire to be protected from those domains. 8)
I deleted two Aliases early this morning (there was another one I had as well with several hundred IP addresses) and the effect on DNS lookups is fantastically clear:
(https://i.imgur.com/CbyfPwJ.png)
The arrow is pointing at the hour interval in which I deleted the Alias lists. I've dropped from almost 50,000 DNS lookups per hour to around 500, which is much more in line with what I would expect.
Whoops. ;D