Messages

1

24.7 Production Series / Re: Configure Unbound to listen for TLS requests on port 853?

« on: November 12, 2024, 06:31:49 pm »

Re DOH
I am testing the free Zenarmor and I am seeing these blocks
   
Nov 12, 2024 17:24
192.168.0.12   54897   17.253.38.115   doh.dns.apple.com   doh.dns.apple.com   443   Blacklisted

Trouble is blocking baddies is like 'wack a mole'

2

24.7 Production Series / Re: Configure Unbound to listen for TLS requests on port 853?

« on: November 10, 2024, 07:37:51 am »

Apologies for misunderstanding your requirement.
Are you saying that some devices on your lan are actually using DOT?, ie port 853 and not port 53
Also the solution for modifying unbound.conf, will the changes survive a reboot or upgrade?
As for DOH, not sure how those requests are detected within the https traffic.

3

24.7 Production Series / Re: Configure Unbound to listen for TLS requests on port 853?

« on: November 09, 2024, 09:12:54 am »

1. ensure you disable 
System: Settings: General
Allow DNS server list to be overridden by DHCP/PPP on WAN
2. Allow 853 on the lan
3. leave 53 port as is on unbound
4. setup your tls servers in unbound (dns over tls)
5. Firewall: NAT: Port Forward
         LAN   TCP/UDP   *   *   ! LAN net   53 (DNS)   127.0.0.1   53 (DNS)   Redirect DNS requests to internal DNS resolver
6. Firewall: Rules: LAN
   IPv4 TCP/UDP   *   *   127.0.0.1   53 (DNS)    *   *      Redirect DNS requests to internal DNS resolver
   IPv4+6 TCP/UDP   *   *   LAN address   53 (DNS)   *   *      Internal DNS LAN
7. Firewall: Rules: WAN
IPv4 TCP/UDP   ! LAN net   *   *   53 (DNS)   *   *      DNS to WAN in
   IPv4 TCP/UDP   *   *   *   53 (DNS)   *   *      DNS to WAN
8. unbound transparent and disable  Use System Nameservers on the tls servers page

9. reboot

10. check dns using option on the browser leaks web site

I had a few escapees where the dns server was hard coded into the device (IOT’s mainly). as a precaution I blocked the ‘popular’ dns
ip address’s. use the firewall logging to see whats happening

I am not saying this is the best approach, I am sure someone will correct me but it worked for me after a lot of experimentation.

Sorry about the formatting.

4

23.1 Legacy Series / Re: The new unbound reporting is pretty cool

« on: January 31, 2023, 10:42:28 am »

DOT

Thanks for the advice.

5

23.1 Legacy Series / Re: The new unbound reporting is pretty cool

« on: January 31, 2023, 08:55:40 am »

1. I often when testing the firewall gaze at the Live View firewall log, which auto updates, just makes life a bit easier.

2. No for me, all local even with 'All' set as the option for display. Possibly it may be how I have Unbound setup.

6

23.1 Legacy Series / Re: The new unbound reporting is pretty cool

« on: January 31, 2023, 07:52:07 am »

Just to say I find the new Unbound reporting very useful, and I would like to suggest a couple of enhancements

1. Auto refresh

2, On the list, when filtering with the term 'Block' all the clients are localhost, whereas without a term, or even with the term 'Pass' the correct client is shown. Having the client in the Block situation would assist in tracing malicious queries.

7

23.1 Legacy Series / Preliminary report on UG 23.1

« on: January 29, 2023, 02:58:37 pm »

Backup system reolink nics
upgraded no issues (no further tests carried out)
VM no

Operational system intel nics,
nut ups ok after patch
usb gps ok
dns leak test on unbound dot ok
feeds to network & firewall monitoring ok
cold start advert blocking test passed with reservations (register, sky, ispreview appear ok, mailonline not ok)
cpu & temperature no discernible change
VM no


Showtime 

8

22.7 Legacy Series / Re: Unbound blocklist does not seem to be working since update to 22.7.9

« on: January 08, 2023, 07:27:53 am »

@IsaacFL
Another cold start resulted in the same procedure being carried out to get blocking working.
The energised list was not used.
The log files do not show any errors.
I agree with the statement Unbound blocklist does not seem to be working since update to 22.7.9

9

22.7 Legacy Series / Re: Unbound blocklist does not seem to be working since update to 22.7.9

« on: December 06, 2022, 07:34:46 pm »

I have not enabled dns64, but experienced this issue after update.
I 'cleared it' by reloading the block list, in the past there was a message stating the number of records dowbloaded.
I also added a url https://block.energized.pro/ultimate/formats/domains.txt to see if that fixed it.
Today there was a power outage, so when the power came back, a cold restart was required.
The lack of blocking issue returned.
I pressed the apply button, no message and the little wheel indicator momentarily displayed.
I pressed  apply  again and the indicator was visible for longer, and behold after clearing the browser cache, no more adverts.
I did search this board and this phenomena occurred in the past.
The upgrade release notes mention this
unbound: rework DNSBL implementation to Python module

10

22.7 Legacy Series / Re: opnsense shutdown issue

« on: October 20, 2022, 08:15:37 pm »

Sorted, a rather obscure setting solved the issue.

11

22.7 Legacy Series / Re: Forcing unbound 853

« on: October 07, 2022, 07:42:26 pm »

On reflection I have decided to dump HA, so the question is now irrelevant to my requirements.

12

22.7 Legacy Series / Re: Forcing unbound 853

« on: October 07, 2022, 09:48:52 am »

Apparently yes, but when I tried it, it didn't work. HA is dockerized , so the fallback dns is a 172 private address.
HA is tied down somewhat, others have had issues.
Preferable to see if its possible with Opnsense.
Yes, it is TLS, no its not using https.

13

22.7 Legacy Series / Forcing unbound 853

« on: October 07, 2022, 09:36:35 am »

I use dns on 853, forwarding port 53 to port 853, blocking other dns servers.
Recently I added Home Assistant, which appears to use 1.1.1.1:853 or 1.0.0.1:853.
There are issue's with Home Assistant and altering its dns, it feels ever so lonely and checks the mothership every 10 minutes or so.

Incidentally, with the log on the rule (used for check internet usage) it when goes beserk, tops up the log,
and the syslog monitor system ramps up with loads of backlogs.

Is there a way to force it to use unbound, as the clone of the port 53 forward didn't seem to work.

14

22.7 Legacy Series / opnsense shutdown issue

« on: October 07, 2022, 09:26:59 am »

Power down router, power led off, interface leds on, router restart.
Power down switch first, Power down router, stays powered down.
Bios is American Megatrends, reseting bios has not fixed the issue.
WOL is not installed
UPS attached

Anybody had this 'feature'?

Versions   OPNsense 22.7.5-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

15

22.7 Legacy Series / Re: Upgrade always fails...

« on: August 18, 2022, 08:08:21 pm »

I had a similar issue yesterday using Arhuus, used Kent and upgraded ok.