Messages

Does anyone know how to detect and alert on DNS all types of record change for domain.
I have name server in DMZ and ptr records are created for published services like email, ftp, web.
I manage and control my NS, ISP is authoritative for IPs allocated, but someone in the world creating PTR records identical to my domain published services.
e.g. 123.123.123..123 pointing to my ftp.mydomain.com
I want to monitor and get alerted if there is unauthorized record created for mydomain.com
I don't have control on malicious threat actors, but at least if i get alerted i could report to take down such records.

Is there any Opnsense plugin to monitor or any external services to subscribe.

Thanks

Thanks for guide.
Are you still running AdGuardHome Service.
If i disable AGH i dont have internet working.
I'm not sure what to do about NAT rules and Unbound Ports, if AGH is stopped.
Should Unbound listen to its default port, rather then custom due to AGH port in use.

I need some help in moving from AdGuard Home installed via Opnsense plugin to new private beta AdGuard DNS
As per the AdGuard DNS beta, requires to add AdGuard DNS servers plain and DoT in devices like router,windows pc,etc..
I have already running AdGuardHome plugin with Unbound works fine.
But want to try the new AdGuard DNS beta
So i need to uncheck AdGuardhome from services to stop the service
I'm not sure what setting to change in Unbound and whether i need to stop unbound services.
In General i think i need to add AdGuard DNS servers 94.140.14.49 ,94.140.14.59, but not sure how to add AdGuard DoT Server tls://device_identifier.d.adguard-dns.com in Opnsense.
Unbound accepts only IPs in DoT settings.

Instead of running and processing DoT from Opnsense i wan to try from AdGuard externally

Any guide or further comments would be appreciated

I'm seeing many unknown mac addresses in DHCP IPv4 lease.
Hostname is same but 2 different IP addresses and mac addresses.

I'm trying to find from where the unknown mac address is logged
In Windows Random mac address assignment is disabled.
Even Android host shows mac address shows same first 6 digits 02:0c:43

Can anyone help to resolve this issue

log file entry of windows host
xx:xx:72:b0:da:5b is actual mac address
02:0c:43:b0:da:5b this is unknown

2022-01-30T11:40:44   dhcpd[27070]   DHCPACK on 192.168.10.99 to xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPREQUEST for 192.168.10.99 (192.168.10.254) from xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPOFFER on 192.168.10.99 to xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPDISCOVER from xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPNAK on 192.168.10.31 to xx:xx:72:b0:da:5b via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPREQUEST for 192.168.10.31 from xx:xx:72:b0:da:5b via igb2: lease 192.168.10.31 unavailable.
2022-01-30T11:34:12   dhcpd[27070]   DHCPACK on 192.168.10.31 to 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:12   dhcpd[27070]   Wrote 75 leases to leases file.
2022-01-30T11:34:12   dhcpd[27070]   DHCPREQUEST for 192.168.10.31 (192.168.10.254) from 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPOFFER on 192.168.10.31 to 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPDISCOVER from 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPNAK on 192.168.10.99 to 02:0c:43:b0:da:5b via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPREQUEST for 192.168.10.99 from 02:0c:43:b0:da:5b via igb2: lease 192.168.10.99 unavailable.

Can anyone help here to see this github link below
https://github.com/AdguardTeam/AdGuardHome/issues/2657
I'm not sure what is the exact issue and how it has resolved as per github.
Can anyone forward to the developer of this AGH plugin for Opnsense

I just did a clean re-install of AGH
Now settings are

In Opnsense
Added 127.0.0.1 with no GW in System | General | DNS Server

Unbound
Listen port is 53 (default)
Network Interfaces: All
Enable DNSSEC Support=Unchecked
Register DHCP leases=Checked
Register DHCP static mappings=Checked
DNS over TLS= Removed all
Custom Options:
server:
do-not-query-localhost: no
forward-zone:
name: "."    # Allow all DNS queries
forward-addr: 127.0.0.1@5353

In AGH
Listing port:5353

Under General Settings
Block domains using filters and host file=Checked
Use safe search=Checked

Under Upstream DNS servers
tls://dns-family.adguard.com

Parallel request=selected

Bootstrap DNS servers
94.140.14.14
94.140.15.15

Private reverse DNS servers
Blank

use private rDNS resolver = Checked
enable reverse resolving of client's IP address=Checked


Under Encryption Setting
Enable Encrption=Checked with Cert Status Valid

With above setting I'm getting the same issue by enabling parental control.
Now in Top Clients i see only 127.0.0.1
What i need to do to see all the clients instead?
I could see clients with hostnames in Client Setting| Client Runtime, but not on dashboard.

I have tried nslookup and got the following results. Basically i wanted to check if resolution is happening for domains that points to  parent control and safe browsing feature.
As per result one of domains is Non-existent domain

Connected to ISP router Directly

PS C:\Users\user1> nslookup
Default Server:  homerouter.cpe
Address:  192.168.8.1

> family-block.dns.adguard.com
Server:  homerouter.cpe
Address:  192.168.8.1

Non-authoritative answer:
Name:    family-block.dns.adguard.com
Address:  176.103.130.135

> standard-block.dns.adguard.com
Server:  homerouter.cpe
Address:  192.168.8.1

Non-authoritative answer:
Name:    standard-block.dns.adguard.com
Address:  176.103.130.133

> family-block.dns.adguard.com
Server:  homerouter.cpe
Address:  192.168.8.1

Connected to WiFi via Opnsense

PS C:\Users\user1> nslookup
Default Server:  fw.mydomain.com
Address:  192.168.10.254

> family-block.dns.adguard.com
Server:  fw.mydomain.com
Address:  192.168.10.254

*** fw.mydomain.com can't find family-block.dns.adguard.com: Non-existent domain
> standard-block.dns.adguard.com
Server:  fw.mydomain.com
Address:  192.168.10.254

Non-authoritative answer:
Name:    standard-block.dns.adguard.com
Address:  176.103.130.133

If Unbound is disabled completely then how DNS resolutions happen in Opnsense.
The only option i assume will work is having DNS entries in System|Settings|General
I will have to throw query to AG support or see in forum, if anyone has similar issue.

I want to know one think can AGH work without Unbound? if Yes then, what are the settings and ports to be used.

Is ADG installed on the OPN device (so ports need to not conflict) or different host. I'll show you mine:
dhcp clients --> AGH on OPN : 53  --> Unbound on OPN : 5353  --> Stubby on OPN : 853 --> DoT resolvers on internet.

I have similar flow, except Stuby I have Unbound.
In Opnsense
System|Settings|Genernal DNS Servers are Blank
Uncheckd   
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the local DNS service as a nameserver for this system

In Unbound
Listen Port:8383
Network Interfaces: All
Enable DNSSEC Support=Unchecked
Register DHCP leases=Checked
Register DHCP static mappings=Checked
DNS over TLS= Cleanbrowsing DOT over 853 added, but Disabled


In AGH
Listing port 53

Under Genernal Settings
Block domains using filters and host file=Checked
Use safe search=Checked

Under Upstream DNS servers
tls://dns-family.adguard.com:853
[/fw.mydomain.com/]192.168.50.254:8383

Parallel request=selected

Bootstrap DNS servers
192.168.50.254:8383

Private reverse DNS servers
Blank

use private rDNS resolver = Checked
enable reverse resolving of client's IP address=Checked


Under Setup Guide All these are listed
Configure your devices
To start using AdGuard Home, you need to configure your devices to use it.
AdGuard Home DNS server is listening on the following addresses:
192.168.50.254 (Opnsense LAN)
192.168.8.200 ( Opnsense WAN)
192.168.10.254 (Opnsense WiFi physical Interface connected to AP)
::1
127.0.0.1
https://fw.mydomain.com/dns-query
tls://fw.mydomain.com.com:853
quic://fw.mydomain.com.com:784

Under Encryption Setting
Enable Encrption=Checked with Cert Status Valid

With all these settings everything works fine.

Now the problem starts if i enable
Use Adguard browsing web service
Use Adguard parental control web service
Both or either enabled DNS request Timed Out occurs.

I cannot understand why these options enabled causing DNS issue.

Thanks again,
Now i'm testing by not using DOT in Unbound and let AGH handle.
So in AGH upsptream DNS server should i remove 192.168.50.254:8383 or add only DOT of my choice or both i.e.
tls://family.cloudflare-dns.com:853
192.168.50.254:8383
With dnsleak shows cloudflare as well as my ISP Why? or is it i have set it up wrongly.
Also i tested parental control enabled, again Internet down.

I'm still a bit confused as to why cleanbrowsing is needed here given it seems to replicate alot (if not all) of what AGH does for you....

What will be the settings if Unbound is disabled. No more DOT IP used i.e. cleanbrowsing
Opnsense +AGH only
In this case how Opnsense will forward the DNS request. There should be DNS server somewhere.

@cookiemonstor thanks,
Here is my Adguard yaml file.
I have just removed password string and modified domain name.
This working config. You will see that below
parental_enabled: false
safesearch_enabled: true
safebrowsing_enabled: false

No issues with Internet. The issue occurs if either of is true parental_enabled and/or safebrowsing_enabled.
So i'm trying to understand is it related to Undbound DNS over TLS or is it as you mentioned IP:Port used in AGH, but below its 53 for DNS and In Unbound i have set to 8383

Is there any AGH port issue or Unbound Issue

bind_host: 0.0.0.0
bind_port: 8443
beta_bind_port: 0
users:
- name: root
  password: ----Removed------
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
debug_pprof: false
web_session_ttl: 720
dns:
  bind_hosts:
  - 0.0.0.0
  port: 53
  statistics_interval: 30
  querylog_enabled: true
  querylog_file_enabled: true
  querylog_interval: 720h
  querylog_size_memory: 1000
  anonymize_client_ip: false
  protection_enabled: true
  blocking_mode: default
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
  - 192.168.50.254:8383
  upstream_dns_file: ""
  bootstrap_dns:
  - 192.168.50.254:8383
  all_servers: true
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
  - version.bind
  - id.server
  - hostname.bind
  trusted_proxies:
  - 127.0.0.0/8
  - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet: false
  max_goroutines: 300
  ipset: []
  filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: true
  safebrowsing_enabled: false
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services:
  - 9gag
  upstream_timeout: 10s
  local_domain_name: mydomain.com
  resolve_clients: true
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
  - 192.168.50.254:8383
tls:
  enabled: true
  server_name: fw.mydomain.com
  force_https: true
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 784
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  strict_sni_check: false
  certificate_chain: ""
  private_key: ""
  certificate_path: /var/etc/acme-client/home/fw.mydomain.com/fullchain.cer
  private_key_path: /var/etc/acme-client/home/fw.mydomain.com/fw.mydomain.com.key
filters:
- enabled: true
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard DNS filter
  id: 1
- enabled: true
  url: https://adaway.org/hosts.txt
  name: AdAway Default Blocklist
  id: 2
whitelist_filters: []
user_rules:
- ' - https://hosts.netlify.app/Pro/adblock.txt'
- ' - https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt'
- ' - https://block.energized.pro/ultimate/formats/hosts.txt'
- ' - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt'
- ' - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'
- ' - https://hosts.oisd.nl/'
- ""
dhcp:
  enabled: false
  interface_name: ""
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
clients: []
log_compress: false
log_localtime: false
log_max_backups: 0
log_max_size: 100
log_max_age: 3
log_file: ""
verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 12

Yes I'm working now.
I'm confused is it i need to add AGH DNS DOT IPs in  Unbound DNS over TLS or in AGH DNS Upstream.
Right now working settings are
In Unbound i have added Cleanbrowsing IPs over 853
In AGH Upstream I have added Opnsense IP over 8383
I just tried to test y enabling parental control and safe browsing. Internet stopped working.
I unchecked, Internet is working.

From AGH yaml current config.

filtering_enabled: true
  filters_update_interval: 24
  parental_enabled: false
  safesearch_enabled: true
  safebrowsing_enabled: false

Thanks for assisting.
I've gone through the shared post.
Everything looks ok as per setup guide.
But I haven't come across anyone reporting the web service protection issue which i'm facing.
Is AGH all features are free or is there anything to do with commercials
Where i can share this issue, if there is no further help from Opnsense forum.

1) There is no reason to have NAT port forwarding or special rules set.

I will test all the NAT rules later if AGH is working. I hope no host will use their own DNS addresses.

2) The only thing you need to really setup in Unbound is the new listening port...I use 53530.....(5353 in your case...but maybe there's a conflict for you, so maybe try a different one)

I will test with new port, but I'm sure i'm not using 5353 elsewhere.

3) Only need to put your OPNSense IP:Port in the upstream and bootstrap....the other WIFI one (which I presume is a VLAN??) isn't needed if it is a VLAN....or even if it's not really....since Unbound will listen on the OPNSense IP and Port....make sure the WIFI interface is listed in the Setup Guide tab of AGH though.

WiFi is not VLAN. its physcially connected from Opnsense to WiFi AP port (see attached)

Did you try the test button in AGH?

Yes all tests are successful

Also...did you try different configs of safe search and secure web service being checked and unchecked?  Try both unchecked first and see if that helps.

See attached AGH current settings. With these options checked all ok. As soon as i enable (highlighted in attachment) web service protection internet doesn't work. I have tried enabling both same time and each also.

IPS is disabled

Where are AGH logs to check why DNS requests are failing with these 2 web service features