Messages

1

23.7 Legacy Series / Re: I Can't Forward to My Local DNS Server

« on: January 24, 2024, 05:50:33 pm »

IT WAS REBIND PROTECTION THE WHOLE TIME

ANSWER:
I just used UnboundDNS and went to services -> unbound -> advanced -> Rebind protection networks

I removed the entry where it says 192.168.0.0/16. This solved the issue and there is no need to muck with the firewall rules or anything like that.

I looked at the possible settings on DNSmasq and there is no configuration for rebind protection. And I know for a fact that it does enforce some protection since there was a log entry that mentioned

Warning   dnsmasq   possible DNS-rebind attack detected: my.domain

I think if you're really determined to solve it on DNSmasq, you can ssh and change the configuration files directly.

MY LIFE'S STORY:
I was trying for so long to get Unbound and DNSmasq to forward but they both were blocking answers to my local network. The main reason that I even had the local DNS server is to resolve my local services to my local servers. This makes everything much smoother for example, on my phone. But I think that the default is to block answers to local addresses so that no one intercepts the local DNS server and forwards to a man-in-the-middle. I think that it's a crazy idea unless you have a public network accessible to anyone. But on OPNSense, you have all of the control on the LAN and if someone somehow intercepts your DNS queries in the LAN, you're already toast. But that's just me. I hope this helps someone else.

2

23.7 Legacy Series / Re: I Can't Forward to My Local DNS Server

« on: January 08, 2024, 02:20:00 pm »

I tried that and unfortunately it doesn't work. I don't think that the issue is the NAT but something else. Because from wireshark, I can see that the clients are being redirected to the correct nameserver but the problem is that they all hang for some reason.

As for the source address, I did that because the NAT would redirect the nameserver to itself so it can't try to resolve something that it's not authoritative on. So I can't really keep it at the default.

3

23.7 Legacy Series / Re: I Can't Forward to My Local DNS Server

« on: January 07, 2024, 01:51:29 pm »

This is the DNS rule

Interface: LAN
Protocol: TCP/UDP
Source / Invert: Yes
Source: ! dns_server
Source Port Range: any
Destination / Invert: yes
Destination: ! dns_server
Destination Port Range: dns
Redirect target IP: dns_server
Redirect target port: DNS
Pool Options: Default
Filter rule association: Add associated rule

I that a good format for the rule? If you have a way for me to export the rule into text I can do that instead or post a screenshot. I tested the rule by doing the command nslookup on my machine and specifying the gateway as my nameserver like this
nslookup my.local.domain 192.1681.1
I was first looking at the firewall live log but it was showing nothing when I chose "action is nat" so I used wireshark instead. I will attach a screenshot with the result of the nslookup command and it does show that the device then started talking to the dns server but this is the result of the command
$ nslookup my.local.page 192.168.1.1
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out
;; communications error to 192.168.1.1#53: timed out
;; no servers could be reached

I have another rule to test for something like HTTP and it's the exact same. The rule is
Interface: LAN
Protocol: TCP/UDP
Source / Invert: No
Source: any
Source Port Range: any
Destination / Invert: no
Destination: unused_random_ip
Destination Port Range: HTTP
Redirect target IP: web_server
Redirect target port: HTTP
Pool Options: Default
Filter rule association: Add associated rule
The exact same thing happens where it says that the connection cannot be made.

4

23.7 Legacy Series / Re: I Can't Forward to My Local DNS Server

« on: January 06, 2024, 01:10:07 pm »

I have followed the article to a tee before but it's still not working

5

23.7 Legacy Series / Re: I Can't Forward to My Local DNS Server

« on: January 06, 2024, 10:53:49 am »

The NAT rule is like this now

Interface: LAN
Protocol: TCP/UDP
Source / Invert: Yes
Source: ! dns_server
Source Port Range: any
Destination / Invert: yes
Destination: ! dns_server
Destination Port Range: dns
Redirect target IP: dns_server
Redirect target port: DNS
Pool Options: Default
Filter rule association: Add associated rule

It still doesn't work. I think something is wrong with my NAT configuration or something. I tried another rule to forward everything that was destined to a random unused IP to my webserver. But nothing happens when I try it.

Interface: LAN
Protocol: TCP/UDP
Source / Invert: No
Source: any
Source Port Range: any
Destination / Invert: no
Destination: unused_random_ip
Destination Port Range: HTTP
Redirect target IP: web_server
Redirect target port: HTTP
Pool Options: Default
Filter rule association: Add associated rule

Applied and nothing happens when I put in the IP on the browser http://unused_ip. It just times out.

6

23.7 Legacy Series / I Can't Forward to My Local DNS Server

« on: January 05, 2024, 11:24:26 pm »

I have a local DNS before I installed OPNSense. I want to forward all requests that are going to OPNSense to go that server. I tried many ways to do that.

I created a NAT rule where it looks for all requests that are NOT originating from the DNS server and forwards the packet to the DNS server. But that causes a timeout for some reason. I can't even see the connection on the live view on the firewall being made.

I tried to use unbound as a forwarder and gone to services->unbound DNS->forward queries and put an entry with an empty domain. It says that it should forward all queries to the specified server but it's as if nothing happened. Although here I can see a connection being made on the firewall. It's just that the names that I set on the server are not being resolved for some reason. Other names are OK like kernel.org and other external domains.

I tried to put in the DNS server on system->settings->general and enabled DNSMasq but that didn't work either. Same as unbound.

Any ideas on how I can fix that?