Messages

is it this one?

Actually I do not know what to look for, but can anyone inform me where I can get a copy of the template used in opnsense? I wish to use this with GoFlow2 to see if I am missing some field(s)

Tks

Aimee

Re DOH
I am testing the free Zenarmor and I am seeing these blocks
   
Nov 12, 2024 17:24
192.168.0.12   54897   17.253.38.115   doh.dns.apple.com   doh.dns.apple.com   443   Blacklisted

Trouble is blocking baddies is like 'wack a mole'

Apologies for misunderstanding your requirement.
Are you saying that some devices on your lan are actually using DOT?, ie port 853 and not port 53
Also the solution for modifying unbound.conf, will the changes survive a reboot or upgrade?
As for DOH, not sure how those requests are detected within the https traffic.

1. ensure you disable 
System: Settings: General
Allow DNS server list to be overridden by DHCP/PPP on WAN
2. Allow 853 on the lan
3. leave 53 port as is on unbound
4. setup your tls servers in unbound (dns over tls)
5. Firewall: NAT: Port Forward
         LAN   TCP/UDP   *   *   ! LAN net   53 (DNS)   127.0.0.1   53 (DNS)   Redirect DNS requests to internal DNS resolver
6. Firewall: Rules: LAN
   IPv4 TCP/UDP   *   *   127.0.0.1   53 (DNS)    *   *      Redirect DNS requests to internal DNS resolver
   IPv4+6 TCP/UDP   *   *   LAN address   53 (DNS)   *   *      Internal DNS LAN
7. Firewall: Rules: WAN
IPv4 TCP/UDP   ! LAN net   *   *   53 (DNS)   *   *      DNS to WAN in
   IPv4 TCP/UDP   *   *   *   53 (DNS)   *   *      DNS to WAN
8. unbound transparent and disable  Use System Nameservers on the tls servers page

9. reboot

10. check dns using option on the browser leaks web site

I had a few escapees where the dns server was hard coded into the device (IOT's mainly). as a precaution I blocked the 'popular' dns
ip address's. use the firewall logging to see whats happening :)

I am not saying this is the best approach, I am sure someone will correct me but it worked for me after a lot of experimentation.

Sorry about the formatting.

DOT

Thanks for the advice.

1. I often when testing the firewall gaze at the Live View firewall log, which auto updates, just makes life a bit easier.

2. No for me, all local even with 'All' set as the option for display. Possibly it may be how I have Unbound setup.

Just to say I find the new Unbound reporting very useful, and I would like to suggest a couple of enhancements

1. Auto refresh

2, On the list, when filtering with the term 'Block' all the clients are localhost, whereas without a term, or even with the term 'Pass' the correct client is shown. Having the client in the Block situation would assist in tracing malicious queries.

Backup system reolink nics
upgraded no issues (no further tests carried out)
VM no

Operational system intel nics,
nut ups ok after patch
usb gps ok
dns leak test on unbound dot ok
feeds to network & firewall monitoring ok
cold start advert blocking test passed with reservations (register, sky, ispreview appear ok, mailonline not ok)
cpu & temperature no discernible change
VM no


Showtime  :)

@IsaacFL
Another cold start resulted in the same procedure being carried out to get blocking working.
The energised list was not used.
The log files do not show any errors.
I agree with the statement Unbound blocklist does not seem to be working since update to 22.7.9

I have not enabled dns64, but experienced this issue after update.
I 'cleared it' by reloading the block list, in the past there was a message stating the number of records dowbloaded.
I also added a url https://block.energized.pro/ultimate/formats/domains.txt to see if that fixed it.
Today there was a power outage, so when the power came back, a cold restart was required.
The lack of blocking issue returned.
I pressed the apply button, no message and the little wheel indicator momentarily displayed.
I pressed  apply  again and the indicator was visible for longer, and behold after clearing the browser cache, no more adverts.
I did search this board and this phenomena occurred in the past.
The upgrade release notes mention this
unbound: rework DNSBL implementation to Python module

Sorted, a rather obscure setting solved the issue.

On reflection I have decided to dump HA, so the question is now irrelevant to my requirements.

Apparently yes, but when I tried it, it didn't work. HA is dockerized , so the fallback dns is a 172 private address.
HA is tied down somewhat, others have had issues.
Preferable to see if its possible with Opnsense.
Yes, it is TLS, no its not using https.

I use dns on 853, forwarding port 53 to port 853, blocking other dns servers.
Recently I added Home Assistant, which appears to use 1.1.1.1:853 or 1.0.0.1:853.
There are issue's with Home Assistant and altering its dns, it feels ever so lonely and checks the mothership every 10 minutes or so.

Incidentally, with the log on the rule (used for check internet usage) it when goes beserk, tops up the log,
and the syslog monitor system ramps up with loads of backlogs.

Is there a way to force it to use unbound, as the clone of the port 53 forward didn't seem to work.