Messages

So additional update.

You can still add custom configuration to Unbound in a supported way:
https://docs.opnsense.org/manual/unbound.html#advanced-configurations

I can't (to my knowledge) use this facility to cancel out the line `private-address: 10.0.0.0/8` And this line is always added (addendum below).

In Unbound -> Blocklists, there is the option to set private-domains and insecure-domains. These do not apply only to blocklists and are global instead. Make sure you manually restart Unbound after Downloading & Applying.

This didn't work for me, because the list of domains to allow-list are numerous, ~300 that I know of but more come and go daily. What I need is to allow-list the private IP range that they resolve to (10.0.0.0/8 in my case)

...

So, I found that the line in question is generated from this file: /usr/local/etc/inc/plugins.inc.d/unbound.inc
For a short time, I change this and marked it immutable, but updating the unbound service wants to update this file (and I probably want to allow that). So, now I think I've tracked down that the php includes that block of configuration when this is true:

Code Select Expand

if (!isset($config['system']['webgui']['nodnsrebindcheck']))

So I edited `/usr/local/etc/config.xml` (which I _think_ is the correct place) and added a `nodnsrebindcheck` attribute under system.webgui (see attachment for context). I restarted the webgui and unbound (in that order), but no love. Either this is the wrong place to configure this or restarting the webgui doesn't bounce (or reload) the PHP service. I'll test a full restart of the box in the next downtime window to see if this works. But if anyone knows where `$config['system']['webgui']['nodnsrebindcheck']` comes from and where I can configure it persistently, I would trade good vibes for that information.

Cheers,
Christopher

Port scanning is a fact of life for anything connected to the Internet. Several of the scanners have agreements with your ISP to allow scanning of their address space and that is the price you pay for their services. Services like Censys and Shodan are helpful in Internet security research and actually help limit the number of port scans going on because researchers and "would-be hackers" can use this information here instead of running their own scan.

All that said, you should be able to block the subnet in question with a firewall rule in OPNSense. The traffic will still reach the OPNSense box, but you can ensure that the traffic is stopped there and not forwarded to services on the OPNSense box or to boxen "behind" OPNSense.

If I understand correctly, you would want to go to "Firewall" -> "Rules" -> "WAN" (Or whichever is the name of the upstream interface being scanned. Then you would add the rule set to "BLOCK" for that IP Range. If you've done this and it's not working, could you post a screenshot of your rule or dump the firewall config and post that? Then we can help you troubleshoot and identify if this a bug in need of fixing.

Cheers!
Topher

I sent 25 USD out to y'all. Perhaps not much, but hopefully it helps. I appreciate all you do, and thank you for your hard work.

Thank you, pmhausen. I appreciate you looking into this.

What happens when you click on "Greffons" ?

tldr: I'm trying to allow Unbound to resolve 10/8 IP Addresses for public domains. Does anyone know how the unbound config is generated in OPNSense?

Using:
OPNsense 22.1.9_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022

I prefer to have my DNS records authoritative and I hate having spoofed records on the local LAN to return private IP address. Thus I publish private IP addresses in A records on public domains. I'm perfectly willing to hear arguments on why you think this is a terrible idea, but please point to some viable attack chain instead of just telling me it's bad because you read it on a blog somewhere. I realize there are risks as it sets the precedent for a rebinding attack, but this is a risk I'm willing to accept in exchange for administration simplicity and not compromising DNSSEC.

There doesn't seem to be a setting in the web UI, so I commented out the following lines in `/var/unbound/unbound.conf`:

Code Select Expand

private-address: 10.0.0.0/8

this works, however, when unbound is reloaded by OPNSense (after an update, reboot, or clicking the reload button in the web UI), the config file is rebuilt from scratch, blowing away my local changes. I'm wondering where/how this config is generated so I can edit the template process to allow private IP resolution.

Currently, I just have a hack of marking the config immutable, but this seems this will bite me in the butt some day. Any ideas? Or Interest in making this configurable upstream?