Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Azokul

Pages1
#1
Intrusion Detection and Prevention / Suricata IPS/IDS & Unbound LAN Issue
March 03, 2025, 05:48:10 PM

Hi,
I'm trying to understand how to setup Suricata with Unbound DNS on Opnsense.

Right now i'm using Unbound at 192.168.1.48:53 and serve the LAN.

I don't have hardware offloading, nor i'm forwarding DNS. I also don't have DNS setup on General tab.



I'm also not using

Allow DNS server list to be overridden by DHCP/PPP on WAN.


I'm testing facebook DNS rule with nslookup, but it never trigger an alert.

|| || |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: reply from <facebook.com.>
|| |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: response for facebook.com. A IN||
|2025-03-01T21:14:34|Informational|unbound|[39188:3] info: resolving facebook.com. A IN|
|| || |51000003|alert|opnsense.social_media.rules|social-media|OPN_Social_Media - Facebook - DNS request for facebook.com||

As far as i understand , after a little bit of research i think it might be related to rules behavior.
Localnet is on 192.168.0.0/16 but rules expect an external request for !LOCALNET , which is definitely never true.
As DNS request (to my understanding) are sent via localnet to Unbound, that get re-routed to WAN for an external request.
So , realistically my DNS request for facebook is always under Localnet if i'm monitoring LAN.

If i try on WAN instead i think i might got problems related to the fact that the WAN is a pppoe connection which doesn't really seem very much supported.
Any idea?
Thanks in advance

#2
General Discussion / Re: Unbound SERVFAIL Exceeded maximum number of sends
April 11, 2024, 12:18:00 AM
Hi,
I had Unbound DNS: Access Lists on Allow as default action as i was doing tests, and servicing WAN while doing so was a bad idea.
I re-set everything to Deny, on the General tab on  Network Interfaces i simply left LAN and my VLAN and removed WAN
#3
General Discussion / Re: Unbound periodically stops resolving some hostnames
March 14, 2024, 09:26:44 PM
Is your unbound also serving WAN and maybe you got ACL overrides?
Just as a personal reference after I disabled WAN requests , my problems went away (I also increased number of queries per thread)

Quote from: vrtigo1 on March 13, 2024, 05:57:14 PM
Quote from: CJ on March 13, 2024, 01:09:19 PM
Quote from: vrtigo1 on March 12, 2024, 02:27:10 AM
Quote from: CJ on March 08, 2024, 03:51:45 PM
What do you have under DNS server options on the General page?

Under system > settings > general > DNS servers I have 1.1.1.1 and 8.8.8.8.

Not DNS servers.  DNS server options.  The section below where the DNS servers are entered.

Nothing checked there.
#4
General Discussion / Unbound SERVFAIL Exceeded maximum number of sends
March 13, 2024, 06:35:48 PM
Hi,
I have had a problem where sometimes (usually in the peak moments of the day) DNS request gets a SERVFAIL for exceeded number of sends. (It's usually 3-4 times a days)

Before upgrading to OPNsense 24.1.3_1-amd64 i didn't have this kind of problem.
I tried double checking my setup just to be sure, but nothing there seemed out of place.

IPv6 Is disabled overall, I'm using 8.8.8.8 or 1.1.1.1 as default DNS on Opnsense, with no override on LANs.

In unbound I don't have DNSSEC and I don't have query forwarding ON.

Every now and then I get SERVFAIL for exceeded maximum requests, I have up to 8000 contemporary requests at specific times of the day.
If i switch to dnsqmasq I have no problems.

Code Select
2024-03-13T15:30:01 Error unbound [87768:2] error: SERVFAIL <mi-speedtest.optimaitalia.com. A IN>: exceeded the maximum number of sends
2024-03-13T15:06:43 Error unbound [87768:2] error: SERVFAIL <cdn.id5-sync.com. A IN>: exceeded the maximum number of sends
2024-03-13T13:42:53 Error unbound [87768:1] error: SERVFAIL <ecs.office.com. A IN>: exceeded the maximum number of sends
2024-03-13T13:37:06 Error unbound [87768:1] error: SERVFAIL <www.msftncsi.com. AAAA IN>: exceeded the maximum number of sends


An example of an extended log:

Code Select
2024-03-13T18:33:03 Informational unbound [8352:2] info: query response was REFERRAL
2024-03-13T18:33:03 Informational unbound [8352:2] info: reply from <com.> 192.35.51.30#53
2024-03-13T18:33:03 Informational unbound [8352:2] info: response for _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Informational unbound [8352:2] info: resolving _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Error unbound [8352:0] error: SERVFAIL <_https._tcp.developer.download.nvidia.com. SRV IN>: exceeded the maximum number of sends
2024-03-13T18:33:03 Informational unbound [8352:1] info: resolving ns3.canonical.com. AAAA IN
2024-03-13T18:33:03 Informational unbound [8352:0] info: resolving _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Informational unbound [8352:1] info: resolving _http._tcp.archive.ubuntu.com. SRV IN

Thanks in advance :)
EDIT. Dum dum here. I double checked ACL and I had allow as default action, while unbound was servicing WAN. I removed WAN, set ACL to Deny and everything is running smoothly.
#5
General Discussion / Re: Unbound periodically stops resolving some hostnames
March 12, 2024, 10:15:32 PM
Hi,
I have had the same problems since a few updates ago.
I'm on  OPNsense 24.1.3_1-amd64

IPv6 Is disabled overall, I'm using 8.8.8.8 or 1.1.1.1 as default DNS on opnsense, with no override on LANs.
In unbound I don't have DNSSEC and I don't have query forwarding ON.
Every now and then I get SERVFAIL for exceeded maximum requests, I have up to 8000 contemporary requests at specific times of the day.
With dnsqmasq I have no problems
Pages1