Messages

1

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 20, 2024, 03:46:07 pm »

ah, now it seems to work!
I suppose it was some cache.

Thanks!

But I'm still wondering about the Mac behaviour, not really wondering, because surely it doesn't like to use DNS blockers, but it's rather bold just to make some DNS settings, that you can not reach as user!

Interesting that the MacOS wants to contact avast.com all the time (I have no avast installed!)... avast and quad, all the time.

2

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 20, 2024, 03:37:02 pm »

ah, so I just select no interface for this rule?

The strange behaviour from MacOS now is that the request from my MacOS to the facebook.com is shown as blocked within adguard, but I can still reach it within Mac

I tested the rule and it works, but as it seems, not for MacOS

3

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 20, 2024, 03:30:27 pm »

I had this workaround within my ipfire access point for some other reasons. Sure, this would be the solution, thanks!

I suppose, I need the floating rule for each interface within I use such f... devices. So one for LAN and one for WLAN in my case.

4

General Discussion / MacOS hijacks the DNS settings?!

« on: November 20, 2024, 02:59:19 pm »

Hi,
I have some hardware within my network, which is working fine with adguard... BUT the fu... Mac don't want to do this.
I set the DNS for the network connection and it just ignores it in some kind of strange way. I see some connections of the Mac within adguard, but it doesn't block for example facebook (all other machines get blocked!). I see even no connection to facebook from the Mac, BUT I see some to dns10.quad9! So MacOS seems to highjack the DNS settings and just use some own DNS setting. AND I find no setting for that within MacOS.

I know, the best solution would be just to through the Mac out of the window, but this is not an option in that case. I need it for some special tasks.

Are there some solutions for that kind of problem? I suppose just blocking quad would be no solution, for I suppose MacOS has set several own DNS entries.

cheers
bread

5

General Discussion / Re: problems with resolving speed

« on: November 01, 2024, 06:51:04 pm »

Problem is solved!
It was the MTU value on the sys-vpn. I set there 1380 and it works!

6

General Discussion / problems with resolving speed

« on: November 01, 2024, 05:45:08 pm »

Hi,

I get terrible resolving time especially at the beginning of loading some pages.
Something about 8 seconds!

the setting:
aduard 53 --> unbound 5353 --> some privacy friendly 4 x DoT upstream servers
+ IDS / IPS
unbound has the following points activated:
- Enable DNSSEC Support
- Register ISC DHCP4 Leases
- Register DHCP Static Mappings
- Do not register IPv6 Link-Local addresses
- Hide Identity / Version
- Harden DNSSEC Data
- Aggressive NSEC


I tried to deactivate adguard and IDS / IPS.
I changed DoT within unbound to 1.1.1.1.
I even changed DNS to 1.1.1.1 on the client, so it shouldn't use any internal DNS at all.
But the issue stays.

If I ping 1.1.1.1, I get immediate result of about 23ms,
but if I ping cloudflare.com, it lasts about 5-10 seconds till it starts and it lasts even between the pings about 3 seconds.
But the ping itself is still about 25-27ms.

So it seems to be a problem of DNS, but in which way, if I even set client DNS to 1.1.1.1??
iperf within LAN is about 900Mbits, so OK.

cheers
bread

edit:
OK, the problem was the VM within QubesOS!
The one, which has this terrible resolving goes over another network VM (sys-vpn) and not directly to firewall-vm. Even if VPN is not on, I get this kind of resolving. So it's a problem of routing in QubesOS!

7

Tutorials and FAQs / Re: HOWTO - Update AdGuard Home automatically with cron

« on: November 01, 2024, 11:51:40 am »

Once the user moves to using them outside Unbound, for instance in AdGH, those go away.

oh, so you mean it's even better to use block lists outside of unbound? Ok, fine!

so you will get AGH updates with your regular OPNsense maintenance. Just not on the day they are published upstream.

that was the point I already thought about, so the updates are coming. Good to know!

8

Tutorials and FAQs / Re: HOWTO - Update AdGuard Home automatically with cron

« on: November 01, 2024, 09:58:56 am »

Settings > General Settings > Filter Update Interval

Ah, thanks! Just didn't see it.

Regarding the update possibility of adguard itself, as I understand there is no better solution as above, because its not an official OPNsense app, isn't it?

So if I want something that blocks AND updates itself AND is stable with OPNsense after updates, I must use unbound block lists, isn't it?

9

Tutorials and FAQs / Re: HOWTO - Update AdGuard Home automatically with cron

« on: October 31, 2024, 11:14:11 pm »

is thre meanwhile a better solution for autoupdate adguard?

And the next question is, how can I autoupdate the block lists?

10

General Discussion / Re: FW rules? DNS problem? Get no connection with adguard on WLAN.

« on: October 31, 2024, 10:14:29 pm »

ok, it's an issue with ipfire and I solve it as it seems!

I don't know, why I can not set the LAN-IP of the OPNsense as DNS for clients, but if I set the IP of the interface the clients are connected to, everything seems to work.

The special problem with WLAN is because of the access point. If I set the IP of the ipfire as DNS for WLAN clients, the ipfire resolves in resursive mode and I get nothing from adguard. So I must set the interface IP of the NIC, the ipfire is connected to (the IP of the OPNsense on this special NIC). Then it works!

11

General Discussion / FW rules? DNS problem? Get no connection with adguard on WLAN.

« on: October 31, 2024, 02:59:16 pm »

Hey!
After some use of OPNsense I still don't understand the logic of the rules.
Especially I get no access from WLAN to WAN if I use the LAN-IP of the OPNsense (Adguard) as DNS server for Clients.

1. I stopped to use floating rules for better understanding of whats going on.
2. LAN: LAN net to PrivateNetworks net - allow PrivateNetworks for LANdevices
3. PrivateNetworks: Pr.Net.Devices to !PrivateNetworks - allow Pr.Net.Devices to WAN
    PrivateNetworks: Pr.Net. ICMP to any - allow ping within Pr.Net.
4. WLAN: WLAN net to Pr.Net. net - allow Pr.Net. for WLAN devices

I have also some Wireguard rules and Rules for Synology, they work.

The Clients in WLAN connect to ipfire Interface, I use it as access point.
DNS there is set recursive mode, so ipfire contacts the root server directly for its own purposes.

If I set the ipfire-IP ad DNS on the WLAN clients, i get connection to the LAN and WAN, so everything works, but as I understand, I don't use Adguard then.

If I set LAN-IP of the OPNsense (Adguard) as DNS on the WLAN clients, I get no connection to WAN, but connection to LAN.
Why that??

The strange thing is, I see the requests of the mobile client from WLAN in the Adguard dashboard if I go via VPN and choose LAN-IP of the OPNsense (Adguard) as DNS, but I can not get out to the Internet. If I just use directly WLAN on the mobile client and set Adguard as DNS, I don't even see any requests in the Adguard dashboard.

Does it have to do with FW rules, or is it some configuration between unbound and adguard (and maybe ipfire in recursive mode)? Or is it just some DNS problem (as nearly always if smth doesn't work)?

cheers
bread

12

24.7 Production Series / DNS unbound configuratino for local searx server?

« on: October 01, 2024, 01:21:33 am »

Hey there!
How can I resolve my local searx server just within internal network?

• I have myhostname.local in the /etc/nginx/sites-enabled/searx
• searx server is connected and can be reached, but shows just the welcome page of nginx
• connection via hostname within browser doesn't work

I suppose it has something to do with the unbound settings.

I use PiHole as DNS server for all clients, but PiHole uses OPNsense as upstream server.

Cheers
bread

13

German - Deutsch / Re: PiHole wird am eigenen segmentierten Interface geblockt

« on: July 12, 2024, 04:26:34 pm »

Warum eine Floating Regel? Sehe ich grundsätzlich immer kritischer sowas alles per Float zu machen.

Na dafür sind sie doch da, um Systemübergreifende Regeln zu machen. Wenn Devices auf verschiedenen Interfaces hocken, warum dann nicht?

Also wenn man unbound auf PiHole einrichtet, dann ist es PiHole selbst, also 127.0.0.1#5335
https://docs.pi-hole.net/guides/dns/unbound/

Das sind keine Ports mit denen PiHole standardmäßig arbeitet? Das eine könnte SSDP sein - da hat Pihole aber nichts mit zu tun - und was mit NAT Mapping - aber auch das macht PiHole normalerweise nicht. Klingt eher nach falschem Alarm, komischem Setup der PiHole Kiste oder was anderem.

Ja, das dachte ich auch, dass es irgendwie keinen Sinn macht. Muss mal in mich gehen, was da eingestellt wurde.

Huh? Das macht ja gar keinen Sinn. Die Sense ist ja das Gerät am äußersten Rand des Netzes, dann sendet man doch den DNS nicht wieder rein ins Netz, sondern raus?

Ok, sicherheitstechnisch wäre es besser, wenn OPNsense ins Netz mit DNS geht. Gedacht war es aber, dass PiHole im unbound auflöst. Aber dann mach ichs andersrum.

Dann weg mit unbound bei pihole, da kommt als resolver dann die IP von OPNsense rein, oder?
Und was kommt bei OPNsense unter settings->general als DNS rein, wenn ich unbound nutzen will? Nichts oder die OPNsense selbst?

14

German - Deutsch / PiHole wird am eigenen segmentierten Interface geblockt

« on: July 11, 2024, 08:15:23 pm »

Hi,

ich wusste nicht, wie ichs besser beschreiben soll.
Ich habe PiHole (192.168.5.250) am segmentierten Interface (192.168.5.1) laufen.

PiHole gehört zu privateDevices, die über Floating-Regel per !Private_Networks ins Internet dürfen.
PiHole selbst nutzt unbound mit 127.0.0.1#5335 als DNS-Resolver.

Jetzt werden ständig anfragen von PiHole zum Interface mit der Portnummer 5351 und 1900 geblockt.
Die DNS-Auflösung über PiHole scheint aber dennoch zu funktionieren (habs mal über so ne AdBlocker-Seite gecheckt).

Was sind das für scheinbar unnötige Anfragen, die PiHole da startet?

Edit:
ich habe jetzt ein viel größeren Problem festgestellt
PiHole ist in Settings general als DNS eingetragen.
Unter unbound query forwarding sehe ich PiHole IP "use system name servers" ist aktiviert.

Wenn ich jetzt aber PiHole bei Aliases aus den Devices rausnehme, die ins Internet dürfen, dann funktioniert die DNS-Auflösung dennoch! Hä???

Was löst dann da auf??

Bei den Logs sehe ich lauter geblockte Anfragen von PiHole.

Edit:
ich vermute, es hat etwas mit dem Unbound von OPNsense zu tun?
Wahrscheinlich ignoriert er den Eintrag für PiHole und löst einfach selbst direkt auf.... doch warum??

Bei unbound steht
- enabled
- all Interfaces
- enabled DNSSEC
- transparent local zone

Grüße
bread

15

German - Deutsch / Re: Wireguard blockt gesamte Internetverbindung in der FW

« on: July 01, 2024, 09:49:22 pm »

ah, hab dich da nicht verstanden. Alles klar, ich schau mal bei Gelegenheit. Danke!