Messages

I got important question. What if malware starts using dns over https?

This nat trick is in another thread, I have to find it.

You add a NAT rule as a WANout rule, src-any dst-any dst-port tcp/udp-53, nat dst-IP to 9.9.9.11
You do also want your std access LAN rule for dns, allowing your LAN net to 9.9.9.11 tcp/udp-53

I just set dns over tls to quad9 in unbound and blocked all outgoing from wan to port 53 using firewall rule. I dont see any leaks now in maltrail. But my blocklist for blocking dns over https started to block more and more.

How is your Maltrail configured now, e.g. are you using firewall rules to block packets on WAN and LAN, IN and/or OUT, and on which interfaces?

Im using fail2ban from maltrail in on wan and out on lan. My other blocklists have over 15 milions unique ip addresses. Fight never end.

Well, "solved" would be to find the root cause and eliminating it. As long as you have infected clients in your LAN, this is not over. Even more so with the observation that already, multiple trojans seem to have invaded your network and it seems not to be segmented into different levels of security by VLANs. Such as it is, the bots are free to spread in your network - you just do not see that any more.

Nothing spreads because i have vlan separation . Formated all drives in my gaming machine. Scaned other client with linux using clamav with no detections. I just cant scan/format my iptv decoder. Iptv decoder is made in china. Nobody knows what this device can do. I got this iptv from isp and cant change it,

Are you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...

Yep.

This is why it's best to dst NAT (WAN out rule) any outbound DNS to 9.9.9.11 or the like. Because OPNsense has that default "allow from self", so to protect against self (malware) using some other DNS that would return malware IP from query, forcing it with NAT to a malware blocking DNS service would help. Not 100%, but helps.

All DNS settings should be using malware blocking DNS service, and, WAN out NAT rule to force all DNS to a specific server, even if it's the same as dns from dhcp or hard set on hosts.

Can you tell me how to do this? Im newbie. And thanks for info im using 9.9.9.11 over tls but there are leaks currently.
I got port forward rule on lan side like this:
       LAN    TCP/UDP    *    *    *    53 (DNS)    127.0.0.1    53 (DNS)    
and mallwares do what they want. and there are leaks.

This below is good?

WAN    TCP/UDP    *    *    WAN address    53 (DNS)    9.9.9.11    53 (DNS)    

I got important question. What if malware starts using dns over https?

Botnet solved partially. At the end i blocked all outgoing trafic from wan directed to dns port 53 and i have dns over tls directed to 9.9.9.11

Now i dont see warnings related to dns and botnets.

How to identyfi specific device? Maltrail shows WAN as sourve of traffic not lan/vlan device.

I got iptv decoder maded in china from my isp i cant change it. I cant unplug devices my family uses internet/tv.

Is there way to identyfi device without unpluging?

Why my dns setup still leaking?

Smart part. There was hundreds of them in 3 minutes. This is screen from maltrail plugin.

Please attach on this forum. I block external image hosting sites.

When i try post image it asks me for https link.

this is small part of queries. (screen from maltrail plugin)

https://imgur.com/a/vnVEavj

[all]

ALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.

Then nobody can possibly have infected your OPNsense directly from outside. From inside via a previously infected client - yes. But as @meyergru wrote: highly unlikely.

Turn on the query log for whatever you use as a recursive server on your OPNsense, watch them, try to find the source of the queries step by step. Only method. No silver bullet.

If you want more help let's start with you describing your DNS setup in detail. Which servers - Unbound, DNSmasq, Adguard Home ... to which ports are they bound ... how did you configure DoT ... how exactly (show the firewall rules!) did you make sure clients cannot go directly to the Internet ...

The problem is - you probably think there's something obvious that experienced people like @meyergru and me know. Fact is, there is nothing obvious. It's all 100% particular to your specific configuration. When trying to help we build a mental image of your network (lacking real access). For that to be successful we need all relevant information.

default dhcp with dnsmasq>> unbound with blocklists >> dns over tls to quad9 with blocklists. From lan side is blockrule to block all outgoing traffic to any destination with port destination 53 + port forward at lan/vlan side to redirect all unencrypted dns traffic to unbound. Also blocked outgoing tls dns from lan. And still get dns traffic from wan not lan which points to malware related domains. Even with infected client on lan side how it is still possible over port 53 unencrypted dns when i set dns over tls? Im doing something wrong? My dns still leaking? And this malware traffic is directed to random dns ervers different than quad 9. Tried dnsleaktest site and there is no leak detected.

ALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.

Maltrail plugin already identified device. SOURCE is WAN ip address not lan ip address. I got another traffic from lan addresses. Im runing maltrail on any WAN/LAN/VLAN interface because i got them all. Previously suricata detected MANY exploits going on WAN address But this attacks stopped (they were blocked by et telemetry ruleset). Any of my devices in VLAN is separated by VLAN. Few days ago i have MASS port scan from multiple domains/ip ranges which was detected and blocked by crowdsec. I dont know what they looking because i have literally NOTHING here . Im just gamer who like privacy and security. They will be upset when they break in hahaha.

I dont know such person. I try fight this threat on my own. Partially solved by blocking outgoing trafic to port 53 from WAN. But what if malware use dns over https instead raw dns on port 53?

This connecions was made from WAN ip adress not from lan.

Are you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...

I got blocked traffic over port 53 to the internet from lan and port forward to redirect all dns trafic generated in lan to 127.0.0.1 (unbound). Then unbound with blocklists then traffic goes to the quad9 dns also with own blocklists. Please READ CAREFULLY what i wrote. When i say from WAN i mean from WAN not lan. Maltrail also says clearly what interface generate traffic. AND my dns connection goes trough TLS. Thats why i dont understand why port 53 connections from WAN.

I dont know do i can handle it alone. Im just user looser and newbie.

My maltrail detected mass connection to malware related domains in about 3 minutes (many different domains). This gonnections was made over port 53 even when i have set dns over tls. This connecions was made from WAN ip adress not from lan. Is it possible that my opnsense instance is infected?

EDIT: Currently partially solved by blocking outgoing traffic from WAN with port 53 destination. But i am network newbie i dont know its enough.

Ok. Thanks for explanation. Probably there was some unwanted traffic between subnets, thats why rule not started imidietelly. Thats why i separate iptv decoder made in china (from my isp) and other machines. Nobody knows what that device doing on internal side of firewall.

Adding block rule with destination "vlan net" built in alias (autogenerated) has no any effect on destination it still can be pinged from LAN net. Same with reversed direction with blocked LAN net destination.

When i set my own alias with 192.168.3.1/24 network (vlan net ip range) and block it as destination it works as intended destination cannot be pinged (whole address pool).

I know proper rule order in opnsense. It dont even work when one rule is present on lan interface with access to all from any address but with !vlan net destination (reverse destination). With this rule ip adresses in vlan net can be pinged without any restriction.

for example this rule wont block access to tv net (vlan): IPv4 *    LAN net    *    ! tv net    *    *    *  (pass rule)

Only aliases set by me worked, but not any * net aliases autogenerated by opnsense.

Im newbie so i may dont understand something.