Messages

[Admin - please feel free moving this thread to General Discussion (which may be a more appropriate place for it)]

Admin - please feel free moving this thread to General Discussion (which may be a more appropriate place for it)

***

Hi all,

I need some help with my DNS configuration.

It seems that while I was busy with configuring a new VLAN + VPN connection, I broke something accidentally...Given the many changes I've mode during the process, I think it would be a good idea to review my main settings before we dig any deeper :)

My setup is as follows:

1) OPNsense (24.7.10_2) acts as DHCP server
2) Pi-hole@Raspberry-pi runs as a DNS server (unbound)
3) I have several VLANs (one of them uses an external DNS server, the rest use pi-hole)

My settings are:

1) My pi-hole set as the first DNS server on the list under System → Settings → General (Networking) with no gateway. As a backup I have a few external DNS servers (quad9) on the list.

* I forced it not to jump between DNS servers on the list, by adding a conf file in usr/local/etc/dnsmasq.conf.d with the following text:

add-mac
add-subnet=32
strict-order

* Btw, IMHO, it should be the default option, unless a user explicitly selects (opt-in) that he wants it to ignore the order of the list. But it is another topic..

2) Unbound is disabled on OPNsense

3) DNSmasq is enabled on OPNsense (port 53)

* p.s. I enabled it on all the interfaces, LANs, VLAN's and WANs, but frankly, I'm not sure that this is the right thing to do given my setup.

4) I set a specific DNS server under Services → ISC DHCPv4 (DNS servers) only for one VLAN. Clients on other VLANS should you the system's default DNS server – pi-hole (and if its down, then one of the backup options: quad9 etc.)

5) Relevant firewall rules:
     i) All the clients are allowed to send DNS request to pi-hole.
     ii) I have FW rules for all the interfaces that suppose to intercept all DNS requests (port 53 only) going outside my local network and forward them to 127.0.0.1 (save for the VLAN with an external DNS and save for the pi-hole itself).

* * * * *

1) Before we dig any deeper, is there any flaw in the above configuration?

2) Is there anything special I need to pay attention to, like a must-have setting/FW rule?

Many thanks in advance!

[Is there anything I can / should do to address these warnings?]

Just a quick update - under Services -->  Dnsmasq DNS --> Settings, I checked the "DNS Query Forwarding - Query DNS servers sequentially" checkbox, and now it seems that the "strict-order" command is obeyed :-)

With respect to the FW rule that intercepts unwanted DNS queries from clients, I'll need to explore this technique a bit further to make sure that it works properly (I'm a bit confused as to the device that eventually should be sending the "permitted" inquiries to external DNS servers (Cloudflare or Quad9 in my example) - whether it should be the OPNsense device itself or the client directly).

DNS is not a security enforcement technique. It exists because wetware cannot remember IP addresses :)

Firewall (policy) sits in level-3 of your network - that means that everything is by IP address. If you want to restrict higher up in the stack, you need a proxy (like Squid for web access)

As a service to make life easier for your users, it's great. A dedicated user (e.g. a teenager) can by-pass your restrictions by SOCKS, DOH, VPN, etc. Since malware isn't (yet) at that level, you can reduce its impact with a filtering DNS server (like pi-hole).

Concentrate on making DNS fast (local) and available (resilience). DNS on your firewall is for your firewall to use. Give your users the servers they need by DHCP and allow those servers to resolve.

Thank you. Eventually I will use DHCP to distribute the relevant DNS servers among certain groups of users (VLANs).

However, I still receive (in the Dnsmasq DNS - Log File) the below warnings:

a) ignoring nameserver 127.0.0.1 - local interface
b) LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s);
c) LOUD WARNING: listening on MY-IP-ADDRESS may accept requests via interfaces other than pppoe0
d) possible DNS-rebind attack detected: pi.hole

Is there anything I can / should do to address these warnings?

Thank you all!

[Here is a solution... see if it works for you.]

Here is a solution... see if it works for you.

gspannu, many thanks for your detailed explanation! :)

I followed your instructions (to the best of my understanding), but it seems that the setup does not work as it supposed to :-/

I guess I missconfigured something..

Under System → Settings → General I set the following three addresses (with no gateways):

1. pi-hole-ip
2. 1.1.1.1 (Cloudflare)
3. 9.9.9.9 (Quad9)

Gateway switching - Allow default gateway switching – not checked.

I left only one FW rule that intercepts any outgoing (external) DNS queries from clients and redirects them to 127.0.0.1#53 (btw, is this the right method achieving this goal?)

Afterwards, I performed the following test:
I disconnected my pi-hole from the AP to force clients to use the second in line DNS server (1.1.1.1 in my example) and rebooted my OPNsense and my AP.

However, when I perform a test for DNS leaks via a browser, in the results I see two servers – one for Cloudflare and one for Quad9. Now, if the second DNS server (Cloudflare) is reachable and responsive, why the third server (Quad9) is being contacted? I repeated this test many times, and even when my pi-hole was up, the second and third DNS servers were used..

Another thing, according to the information available under Services → Dnsmasq DNS → Log File, it seems that all the DNS servers are used at the same moment:
- Informational – dnsmasq - using nameserver 9.9.9.9#53
- Informational – dnsmasq - using nameserver 1.1.1.1#53
- Informational – dnsmasq - using nameserver PI-HOLE-IP#53

In addition, according to the log file, I get warnings of three types:

a) ignoring nameserver 127.0.0.1 - local interface
b) LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s);
c) LOUD WARNING: listening on MY-IP-ADDRESS may accept requests via interfaces other than pppoe0

Is it normal?

Again, thank you very much!

Remember that certain clients (*cough Windows *cough) will only consider a DNS server unavailable when it stops pinging. A dual DNS server is more for updating one at a time without an outage. A load balancer will give you high availability for partial failures.

Thanks. Noted.

There are good arguments for having separate servers for different services. The built-in DHCP/DNS/Squid in OPNsense are there to provide a drop-in replacement for ISP routers IMHO. There are many posts in this forum about on-board WiFi from that same perspective.

Ars did a good article about this recently https://arstechnica.com/information-technology/2024/02/doing-dns-and-dhcp-for-your-lan-the-old-way-the-way-that-works/ I reckon the pi-hole makes a better DHCP than OPNsense but a dedicated server (or container) trumps both. It is also a good learning experience.

I've heard arguments for having separate servers, but frankly, I'm not knowledgeable enough in this regard to make any smart decisions (save for the basic stuff) that will be appropriate in my use case. But I will do some research on this.

Thanks for the link! It seems like a very good and interesting article. I'll read it once I find some time.

Thank you.

You can try this: https://labzilla.io/blog/force-dns-pihole (it is actually mostly NAT)

Also if you run more than 1 pihole consider gravity sync or other syncing utilities.

Thank you! Actually I used the above page when I configured my setup. Using syncing utilities is my next step, but first I would like to have a stable setup, so I can take my time and learn how to improve it  :)

[Thank you for your response and sorry for not replying sooner.]

Hi Bart,

Thank you for your response and sorry for not replying sooner.

I don't mind buying a second raspberry pi as a backup, but I'm not sure that I fully understood your suggestion.

It is my understanding that I have two places in OPNsense where I can configure DNS:

1) System --> General --> DNS serves + gateways

2) Services --> DHCPv4 --> DNS servers

You mentioned the second option, which I prefer, because it allows me to set a specific DNS for each VLAN.

However, under Services --> DHCPv4 --> DNS servers, there are only two fields to specify 2 DNS servers (not three).

Probably it was not clear from my post, so it is worth noting that the DHCP server runs on my OPNsense (an not on my pi-hole).

In any event, how do I force applications with hard-coded DNS addresses to go through specific DNS servers (in my case: pi-hole no. 1 & pi-hole no. 2, if the first one is down) without firewall rules? And if I need firewall rules for that, how do I set FW rules to redirect DNS queries to one of the two DNS servers (whichever is up)?

Thank you again!

so...did it not work?

DNS on pi-hole works and it has been running since then :) but this is not what fixed the DNS issue in OPNsense itself.

...which led you to try this instead?

I read somewhere about DNS hijacking by default by vpn providers and decided to eliminate this possibility.

you didn't

You are right, I learned a lot during the process :)

Thanks again for your help!

Hi all,

I need your help with configuring a failover mechanism (firewall rules) in case my Pi-hole goes down.

Background:

I outsourced all the DNS resolutions from my OPNSense to my Pi-hole (runs unbound).

I would like to setup a backup DNS solution if my Pi-hole goes down – whether configuring an unbound service on the OPNSense itself or just using an external DNS provider (cloudflare or similar).

Currently I have only the following rules:

i) rule no. 1 – redirects all DNS requests from port 53 on OPNsesne to Pi-hole (port 5335)
ii) rule no. 2 - intercepts any outgoing DNS queries and redirects them to Pi-hole (port 5335)

The issue is, that I do not know how (assuming it is possible) to use a conditions within FW rules (if IP1 is down, forward it to IP2).

Any help would be highly appreciated.

Thank you in advance!

Just a quick update.

Firewall, further to your suggestion, I outsourced the DNS resolutions to a pi-hole (running unbound), which I installed on a 12-year old Raspberry pi 1 :)

However, it is my understanding that the trick that solved the issue for me, was re configuring the WG connections from scratch (on second thought, I suspect that the issue was a conflict between the unbound running on OPNsense and the vpn provider's DNS).

I can't believe I spent so much time looking for a solution in all the wrong places.. 

P.s. Now I should test it with unbound running on OPNsense.

Thanks again.

[firewall, thank you for your response!]

firewall, thank you for your response!

generally speaking, you'd spare hair follicles and/or restful sleep by moving resolution elsewhere on your lan. there are countless ways to skin that cat, clearly, but i've had near zero problems with pi-hole running a local instance of unbound.

I always thought that Pi-hole would be an overkill for me, but given the time I already spent on trying to solve this issue and the fact that currently (as far as I know) there is no solution for that problem, perhaps trying Pi-hole is not such a bad idea after all... I just doubt it will run properly on my 10-year old raspberry pi :)

this blog attempts to clarify how the different components of / config options for, dns resolution on opnsense, interoperate. have a look if you haven't already but fwiw i surmised that dns subsystems on opnsense are convoluted at best and bordering on broken either way.

I've seen this blog before, but I will read it to make sure I'm not missing anything. Thanks.

that said, you can (probably) hack something together that'll function...
- have you defined a gateway for the vpn?

Yes, I have defined a gateway for the vpn.

i couldn't understand from your post of "without setting a static ip" was intended behavior or merely the outcome of whichever tutorial you followed. 

You're right, it was not very clear. I did follow a tutorial according to which there is a need to assign a static ip to an interface, but this option was removed in one of the recent OPNsense versions. However, it is my understanding (after reading the discussion on github I referred to - https://github.com/opnsense/core/issues/5329), that setting a static ip was the trick that allowed this setup to work.. But there is a chance that I misunderstood it...

- option 1: set a static route (system > routes > configuration) for the ip addresses corresponding to your dns forwarder (e.g. 9.9.9.9), specifying the vpn gateway.

I hope that I understand your suggestion correctly - under network, I configured my vpn provider's DNS address (/32) and under gateway I selected the relevant vpn gateway. Unfortunately, it did not work.

-option 2: revise gateway priorities to, in essence, force opnsense to choose your vpn gateway(s) as default (e.g. VPN_GW priority 100, WAN_GW priority 255). i'd advise this regardless if you're mitigating most wan traffic being sent in the clear.

That's a very interesting idea, I did not think about. However, it did not solve the problem, but ping times went through the roof (ping to a specific ip address works). I tried playing with it a bit, but perhaps I should give it another try.

be sure you've configured static routes for your vpn endpoints such that their traffic is sent via wan.

Yep, I did configure static routes for my vpn endpoints via wan.

I'm open to any other ideas / suggestions :)

Thank you again!

[Is it still possible to force Outbound to use the WG tunnel?]

Hi all,

In previous versions of OPNsense, it was possible to assign a static ip to a WG interface, and by doing so, it was possible to make Unbound to use WG tunnels rather than the system's DNS.

However, since this option was canceled in one of the recent OPNsense updates (not sure which one, but it didn't work in 23.7.9), I can not force Unbound to use the WG tunnel anymore.

I've read a very interesting discussion on this topic on github https://github.com/opnsense/core/issues/5329, but in my case, setting a floating FW rule as suggested therein, did not solve the problem.

Is it still possible to force Outbound to use the WG tunnel?

Additional information:

- I use an external VPN provider.
- I configured VIPs and appropriate Gateways.
- When I change the Outgoing Network Interfaces (under Outbound DNS -> General) to a non WG interface, Outbound works (with DNS leaks..).

Any idea / help would be highly appreciated :)

Thank you.

Hi and thanks for your reply!

Yep. I set different IP ranges, but the idea is the same.

It is worth mentioning, that sometimes, for an unexplained reason, it just works (without disconnecting the other LAN connection).  At this specific moment, it works, but yesterday it did not work.  :-\

Thank you.

[Any help would be highly appreciated!]

Hello all,

I'm a new OPNsense user, so apologizes for the noobish questions :)

I installed OPNsense on a 4-port Topton mini pc I purchased from Aliexpress.

Save for the fact that it gets VERY hot under normal load, I'm quite happy with it.

However, recently I decided to connect my laptop directly to the Topton mini pc, and it turned out, that at any given moment only one LAN port works (ETH1 or ETH2). I need to disconnect one of them from the OPNsesne machine (Topton) so the second one will have internet access (or even access to OPNsense itself).

ETH0 is the WAN port.
ETH1 goes to the AP.
ETH2 goes to my laptop (this is the new interface I configured recently).

It seems that both of the interfaces (ETH1 and ETH2) provide a valid IP address in the configured range, but until I disconnect one of them, there is no internet access on both of them (and while both of them are connected I can not access OPNsense interface).

* I did change many settings on ETH1 interface (to work with VLAN's, VPN etc), but I'm not sure why should it have any effect on a separate interface (ETH2).

** I understand that there is no bridge by default between the interfaces, but this is not what I'm trying to achieve.

What can be the issue? Where should I start looking for a solution?

Any help would be highly appreciated!

Thank you.