Topics

1

17.7 Legacy Series / dnsmasq: cannot resolve external hosts

« on: August 11, 2017, 12:48:19 am »

Hi,

first of all thanks a lot for the new release. Everything works like a charm, except DNS resolving of external hosts. I am using dnsmasq DNS. My settings are as follows:

• System: Settings: General: no manual DNS server entries
• System: Settings: General:  [X] Allow DNS server list to be overridden by DHCP/PPP on WAN

Now I make a query to an external host:

Code: [Select]

ingo@router:~ % drill google.de
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 36706
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.de. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Aug 11 00:35:47 2017
;; MSG SIZE  rcvd: 27

Why am I getting rcode: REFUSED?

For hosts in the LAN everything works as expected.

If I manually add DNS servers in "System: Settings: General" then it also works, however, I did not have to do this in the 17.1 version.

Any suggestions (apart from switching to Unbound which currently is not yet an option for me).

Cheers, Ingo =;->

2

16.7 Legacy Series / Firewall Alias for adblocking

« on: January 24, 2017, 04:43:25 pm »

Hi,

I migrated from OpenWRT to OPNSense in the past couple of weeks and can't believe that all these years I wasn't aware of pfSense/OPNSense! I am very happy with pretty much everything, except for the adblocking situation (and perhaps the google rank situation  ).

What I would really like to see is DNS based adblocking. I have searched the forum, but the resolution always seems to be transparent proxy (really not an option for me) or some firewall rule with a set of IPs (alias). The latter I am trying to implement:
So I have created a very big list of IP addresses and Domains from various sources (PI-Hole, OpenWRT adblock plugin etc.). The list contains about 120000 entries. Then I created an alias like this:

• Name: Adblock
• Type: URL Table (IPs)
• URL: URL to my list (not public)

Now I do have some questions about this:

• Is it ok to have a mixture of IPs and domain names in my list? I would say yes, OPNSense seems to resolve domains in the background and creates a text file in /var/db/aliastables/Adblock.txt which contains only IPs.
• Is there a limit as to how many IPs I can have for an alias?
• What is a healthy amount of IPs inside an alias? Would it be
• When I look in /var/db/aliastables/Adblock.txt file I notice a lot of duplicate IPs. Should this maybe optimized or does it not matter?
• What is OPNSense's strategy when the file changes? Will it only look at differences or parse the file fully each time?
• My Alias does not show up under Firewall: Diagnostics: pfTables. However, if I create the alias with a non capital first letter, then it will appear there. Bug?
• Firewall: Diagnostics: pfTables tells me that there are no entries in my alias. However, when I make my list smaller, suddenly it will show the IP addresses. I have experimented a little: 5000 entries were fine, 10000 already not. So it looks there is indeed a limit somewhere.
• Are there any plans to integrate DNS based adblocking? Sure I can set up a Pi next to my OPNSense with PI-Hole on it, but I'd prefer the all-in-one solution. Would the DNS based adblocking not be far, far more efficient? I mean, only when a resource is actually requested, the DNS resolver would have to check against the black list (might be costly, but can be cached). As firewall rule with, say 5000 entries, this needs to be checked for pretty much every packet, no? Transparent proxy adblock is IMHO far too complex (CA certificate on every client, maintaing no-ssl-bump list,...)

Sorry for the sheer volume of the questions, I hope someone takes time to answer them. I have been googling a lot (which is painful because google always returns results for pfSense. OPNSense must get more popular to drive pfSense off the first ranks ) and the forum has only like 2-3 posts about adblocking...


Cheers, Curly060 =;->