Messages

With 18.7.8 you'll have a devel pkg to install, then you forward unbound to dnscrypt-proxy like here:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/

Then your DNS is forwarded via port 853 so it wont be intercepted ...

sorry, but on 18.7.8 i can´t find the plugin!

With 18.7.8 you'll have a devel pkg to install, then you forward unbound to dnscrypt-proxy like here:
https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/

Then your DNS is forwarded via port 853 so it wont be intercepted ...

thats really really great! thx very very much!! :-)

It's under review, just watch the open PRs

https://github.com/opnsense/plugins/pull/965 "merged" ! great work! :-)


is there also a howto in which I could solve the problem described by me!


i mean this -> "my provider uses a transparent dns proxy!" -> how can i solve this , that my Provider can´t read my sites i visited using this plugin?

regards rené

QUIC is just UDP, which is supported or what are you referring to?

That means that it has to be supported on the client (browser) side and on the server side nothing needs to be implemented to support QUIC. Am I correct?

It's under review, just watch the open PRs

Hope to See this Plugin soon!

Hi René,

Yes, DNS will flow securely through dnscrypt which will foil any attempt to transparently proxy the traffic, since that will be seen as a MITM attack. The two benefits of secure protocols are encryption and verification of endpoints.

Squid services a different protocol although it is susceptible to transparent proxies as well; your ISP can transparently inspect and proxy any HTTP traffic, but HTTPS traffic is protected.

Bart...

Thx for your Information. :-)

In which opnsense release will the new plugin appear?

https://en.m.wikipedia.org/wiki/QUIC

Will this be supported by opnsense in the future?

Hi René

Can I do anything with opnsense here?

You currently have two options:

1. Find a better provider  ;)
2. Sign up with a VPN and run all your outbound traffic through them

Once the dnscrypt plugin is added to OPNsense, this will no longer be a problem.

Bart...

thx for your help!

1. so if dnscrypt plugin is added i don´t need to use vpn ?
2. this works synonymous with squid or is that in no connection ?

regards
rené

Hm, works for me

ok, i found out that my provider uses a transparent dns proxy!
So my provider can log every visited website from me.

Can I do anything with opnsense here?

regards rené

https://dnscrypt.info/public-servers/

Some of them probably support plain dns. dnscrypt plugin will comes in a few weeks ..

I
Thx for your help.

Two questions:

1. how can i find out if my provider blocks my dns Servers? see https://www.dnsleaktest.com/what-is-transparent-dns-proxy.html

2. Does opnsense offer the possibility to do something about this?

3. how can i find out which dns Server of my list my Firewall currently uses?
Can i use nslookup on the Firewall?


Regards rene

There is 1.1.1.1 and 9.9.9.9 but are there any other Servers?
I read on the internet that opendns is not recommended because they are related to hijacking nxdomain records and serving up their ad page?

does anyone know safe and fast dns server?

Thx,
Regards
Rene

Unfortunately, I have to tell you that I've tried everything you said, but unfortunately without success. no matter which countries are blocked, they are blocked via dest / source on the lan interface or via dest / source on the wan interface. it has to be somehow related to the transparent proxy. but I do not know yet.

Who knows how to configure it?

Make ist 1,5 Mio .. if it's still not working it's Layer 8 :)

https://en.wikipedia.org/wiki/Layer_8 ;-)

http://www.angolatelecom.ao/ -> still works
http://www.governo.gov.ao/ -> still works
http://www.angop.ao/ -> still works

if I understand the firewall rules correctly, is under "source" to understand the traffic that comes in the firewall and under "destination" everything that goes out of the firewall? right?

So if I want to block pages from Angola I would have to enter the alias under Destination. right ?

after having amused myself about layer 8, I can not really say what I'm doing wrong now.
perhaps choose the lan interface for the blocking rule and not the wan interface?
how can i check whether the GEOip blocking works?

by the way .. i´m using transparent squid proxy with certificate if this is important to know!

thx for you reply.

i increased the Firewall Maximum Table Entries to "500000" and applied the changes.
i still use the alias on source and destionation wan rules.

no difference http://www.governo.gov.ao/ still works!

First, I created the alias. then I have selected the countries or continents that I want to block.
In the last step, I selected the alias as the source in the firewall rule of the wan interface. this then confirmed, 10 minutes waiting and tried.

how can it be that I still can load for example the angola homepage?

I then additionally entered as destination the alias in the wan firewall rules too. but it does not work either.

does this work only with IDS / IPS or am I doing something wrong?

Screenshots of the settings see appendix!

best regards
rené