"Quote from: Azokul on March 03, 2025, 05:48:10 PMHi,
I'm trying to understand how to setup Suricata with Unbound DNS on Opnsense.
Right now i'm using Unbound at 192.168.1.48:53 and serve the LAN.
I don't have hardware offloading, nor i'm forwarding DNS level devil. I also don't have DNS setup on General tab.
I'm also not using
Allow DNS server list to be overridden by DHCP/PPP on WAN.
I'm testing facebook DNS rule with nslookup, but it never trigger an alert.
|| || |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: reply from <facebook.com.>
|| |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: response for facebook.com. A IN||
|2025-03-01T21:14:34|Informational|unbound|[39188:3] info: resolving facebook.com. A IN|
|| || |51000003|alert|opnsense.social_media.rules|social-media|OPN_Social_Media - Facebook - DNS request for facebook.com||
As far as i understand , after a little bit of research i think it might be related to rules behavior.
Localnet is on 192.168.0.0/16 but rules expect an external request for !LOCALNET , which is definitely never true.
As DNS request (to my understanding) are sent via localnet to Unbound, that get re-routed to WAN for an external request.
So , realistically my DNS request for facebook is always under Localnet if i'm monitoring LAN.
If i try on WAN instead i think i might got problems related to the fact that the WAN is a pppoe connection which doesn't really seem very much supported.
Any idea?
Thanks in advance
Instead of relying on `!LOCALNET`, modify the rule to specifically look for DNS traffic from your Unbound server's IP address to external DNS ports (usually UDP 53) on your LAN interface. However, this may not be directly possible with the predefined Suricata rules in the OPNsense GUI since `OPN_Social_Media` rules are often prepackaged.
