Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - dwasifar

Pages: [1] 2

24.7 Production Series / 24.7.1 update killed my UniFi internet connectivity

« on: August 09, 2024, 04:39:45 pm »

I have two networks defined in the UniFi controller, one for the main subnet and another for a VLAN subnet (to isolate IOT devices).

After the 24.7.1 upgrade, nothing on either wi-fi network can reach the internet. Wired connections are fine.

I can't spare the network downtime to troubleshoot it right now, so I reverted to 24.7 and reloaded the same configuration, and everything works again. If anyone has any thoughts, it'd be welcome for when I can look at it.

24.7 Production Series / PSA: How I migrated my DHCP reservations to Kea

« on: August 01, 2024, 04:47:35 am »

First I manually set up one Kea reservation to serve as an example. Then I saved my config, and in a text editor I copied all the old <static> blocks and used find and replace to update their xml tags to Kea values. I deleted <cid> tags, and server tags <dnsserver/>, <winserver/>, and <ntpserver/>.

Each Kea reservation has its own uuid, so for each reservation I incremented the example value by 1, figuring it didn't matter if they were consecutive as long as they were unique. I added the subnet tag to each with cut and paste, saved all the reservation blocks into the Kea section of the config, and loaded the config back into OPNSense.

Worked perfectly and saved me a lot of setup time.

24.7 Production Series / Issues with 24.7 upgrade, and solution. Upgrade bug?

« on: August 01, 2024, 04:20:07 am »

After upgrading to 24.7, half my network didn't work. So the last few days have been back and forth between my backup opnsense box and the production box, trying different things as time allowed.

I tried a clean install of 24.7 and applied backup config. No help. Then I remembered the upgrade notes mentioned some function had been removed from old DCHP for backward compatibility with Kea. So I switched to Kea on my 24.7 install. No help there. I migrated the same Kea setup back to 24.1.10. That worked.

Some more investigating and I determined all the problem devices were trying to connect through a VLAN interface I have set up to keep IOT devices isolated. I tried connecting to that network with my phone and it failed, telling me it couldn't get an IP. So I still thought it was a DCHP issue, but I decided to check the VLAN setup anyway, and in the Interfaces summary page, the parent interface was unpopulated. I opened the edit popup, and the parent WAS populated there. Saved it, and the summary page then showed that field populated, and everything started working normally.

So maybe this is an upgrade bug. The upgrade killed my VLAN but resaving its configuration fixed it.

24.1 Legacy Series / All inbound connections blocked after 24.1.10_x upgrade [SOLVED]

« on: July 15, 2024, 08:51:06 pm »

After upgrading to 24.1.10_2, OPNSense started rejecting all inbound traffic. Every incoming connection is blocked by Default deny / State violation rule. The version is 24.1.10_2-amd64. ISP is Comcast Business USA.

I reverted to 24.1 with a fresh install (from a fresh download), loaded the same config from a backup, and everything worked again with the same config. Because I am apparently a glutton for punishment, I upgraded the new installation to 24.1.10_2 to see if it would break. Result: it broke. All inbound connections were again blocked with Default deny / State violation rule. So I rebuilt again with 24.1, reloaded the same config (again), and that works (again).

Not sure where to look to figure out what's going on. Right now I'm running 24.1 because the update process would take me right to 24.1.10_2 again.

23.7 Legacy Series / Interface settings mystery

« on: January 26, 2024, 05:58:59 pm »

Recently I switched to an Awow AZ51 micro PC for OPNSense. This device has two 2.5Gb ports, and most users report having to change settings to get full throughput. When I set it up initially, I got limited throughput, and found I needed to set the Speed and Duplex setting for each interface to 1000BaseT, and got full speed.

Today, to troubleshoot a different issue, I had to revert to an older saved configuration, which did not have the Speed and Duplex setting. After a reboot, imagine my surprise when I got full speed without changing the Speed and Duplex setting from "Default."

I'm happy about it, but I don't understand it. Could the hardware interface have remembered the setting?

General Discussion / Here is dnsmasq xml to block ads on Roku

« on: November 03, 2023, 06:14:15 pm »

If you use a Roku, and you have dnsmasq enabled on your OPNsense box, you can add the following hosts and aliases to the dnsmasq hosts section of your xml configuration to block the annoying Roku ads.

Code: [Select]

    <hosts>
      <host>zp.ads.roku.com</host>
      <domain>zp.ads.roku.com</domain>
      <ip>127.0.0.1</ip>
      <descr>Block Roku ads</descr>
      <aliases>
        <item>
          <description>Block Roku ads</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>bif.sr.roku.com</domain>
          <host>bif.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>traces.sr.roku.com</domain>
          <host>traces.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>cloudservices.roku.com</domain>
          <host>cloudservices.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>d2n3pv3l9r5wp5.cloudfront.net</domain>
          <host>d2n3pv3l9r5wp5.cloudfront.net</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amarillo.sb.roku.com</domain>
          <host>amarillo.sb.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>p.ads.roku.com</domain>
          <host>p.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>ads.roku.com</domain>
          <host>ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amarillo.logs.roku.com</domain>
          <host>amarillo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amoeba-plus.web.roku.com</domain>
          <host>amoeba-plus.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>austin.logs.roku.com</domain>
          <host>austin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>bryan.logs.roku.com</domain>
          <host>bryan.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>camden.logs.roku.com</domain>
          <host>camden.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>cloudservices.roku.com</domain>
          <host>cloudservices.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>customer-feedbacks.web.roku.com</domain>
          <host>customer-feedbacks.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>digdug-g2.logs.roku.com</domain>
          <host>digdug-g2.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>digdug.logs.roku.com</domain>
          <host>digdug.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>display.ravm.tv</domain>
          <host>display.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>esp.logs.roku.com</domain>
          <host>esp.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>giga.logs.roku.com</domain>
          <host>giga.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>gilbert.logs.roku.com</domain>
          <host>gilbert.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>griffin.logs.roku.com</domain>
          <host>griffin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>hereford.logs.roku.com</domain>
          <host>hereford.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>i.ads.roku.com</domain>
          <host>i.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>identity-dev.ads.roku.com</domain>
          <host>identity-dev.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>identity.ads.roku.com</domain>
          <host>identity.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>lagrange.logs.roku.com</domain>
          <host>lagrange.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>liberty.logs.roku.com</domain>
          <host>liberty.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>littlefield.logs.roku.com</domain>
          <host>littlefield.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>logs.roku.com</domain>
          <host>logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>longview.logs.roku.com</domain>
          <host>longview.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>midland.logs.roku.com</domain>
          <host>midland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>mobile.logs.roku.com</domain>
          <host>mobile.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>p.ads.roku.com</domain>
          <host>p.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>paolo.logs.roku.com</domain>
          <host>paolo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>raps-perf.ravm.tv</domain>
          <host>raps-perf.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>raps.ravm.tv</domain>
          <host>raps.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>ravm.tv</domain>
          <host>ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>richmond.logs.roku.com</domain>
          <host>richmond.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>rollingwood.logs.roku.com</domain>
          <host>rollingwood.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>rxr.ravm.tv</domain>
          <host>rxr.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>samples.voice.cti.roku.com</domain>
          <host>samples.voice.cti.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>sugarland.logs.roku.com</domain>
          <host>sugarland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>traces.sr.roku.com</domain>
          <host>traces.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>track.sr.roku.com</domain>
          <host>track.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>tyler.logs.roku.com</domain>
          <host>tyler.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>victoria.logs.roku.com</domain>
          <host>victoria.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>windsor.logs.roku.com</domain>
          <host>windsor.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>wwwimg.roku.com</domain>
          <host>wwwimg.roku.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</domain>
          <host>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>d2n3pv3l9r5wp5.cloudfront.net</domain>
          <host>d2n3pv3l9r5wp5.cloudfront.net</host>
        </item>
        <item>
          <description>Block Roku ads</description>
          <domain>dc7eeru7ckgwe.cloudfront.net</domain>
          <host>dc7eeru7ckgwe.cloudfront.net</host>
        </item>
      </aliases>
    </hosts>
    <hosts>
      <host>zz.cooper.logs.roku.com</host>
      <domain>zz.cooper.logs.roku.com</domain>
      <ip>0:0:0:0:0:0:0:1</ip>
      <descr>Block Roku IPV6</descr>
      <aliases>
        <item>
          <description>Block Roku IPV6</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>amarillo.logs.roku.com</domain>
          <host>amarillo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>amoeba-plus.web.roku.com</domain>
          <host>amoeba-plus.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>austin.logs.roku.com</domain>
          <host>austin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>bryan.logs.roku.com</domain>
          <host>bryan.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>camden.logs.roku.com</domain>
          <host>camden.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>cloudservices.roku.com</domain>
          <host>cloudservices.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>cooper.logs.roku.com</domain>
          <host>cooper.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>customer-feedbacks.web.roku.com</domain>
          <host>customer-feedbacks.web.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>digdug-g2.logs.roku.com</domain>
          <host>digdug-g2.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>digdug.logs.roku.com</domain>
          <host>digdug.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>display.ravm.tv</domain>
          <host>display.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>esp.logs.roku.com</domain>
          <host>esp.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>giga.logs.roku.com</domain>
          <host>giga.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>gilbert.logs.roku.com</domain>
          <host>gilbert.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>griffin.logs.roku.com</domain>
          <host>griffin.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>hereford.logs.roku.com</domain>
          <host>hereford.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>i.ads.roku.com</domain>
          <host>i.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>identity-dev.ads.roku.com</domain>
          <host>identity-dev.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>identity.ads.roku.com</domain>
          <host>identity.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>lagrange.logs.roku.com</domain>
          <host>lagrange.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>liberty.logs.roku.com</domain>
          <host>liberty.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>littlefield.logs.roku.com</domain>
          <host>littlefield.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>logs.roku.com</domain>
          <host>logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>longview.logs.roku.com</domain>
          <host>longview.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>midland.logs.roku.com</domain>
          <host>midland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>mobile.logs.roku.com</domain>
          <host>mobile.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>p.ads.roku.com</domain>
          <host>p.ads.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>paolo.logs.roku.com</domain>
          <host>paolo.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>raps-perf.ravm.tv</domain>
          <host>raps-perf.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>raps.ravm.tv</domain>
          <host>raps.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>ravm.tv</domain>
          <host>ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>richmond.logs.roku.com</domain>
          <host>richmond.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>rollingwood.logs.roku.com</domain>
          <host>rollingwood.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>rxr.ravm.tv</domain>
          <host>rxr.ravm.tv</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>samples.voice.cti.roku.com</domain>
          <host>samples.voice.cti.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>scribe.logs.roku.com</domain>
          <host>scribe.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>sugarland.logs.roku.com</domain>
          <host>sugarland.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>traces.sr.roku.com</domain>
          <host>traces.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>track.sr.roku.com</domain>
          <host>track.sr.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>tyler.logs.roku.com</domain>
          <host>tyler.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>victoria.logs.roku.com</domain>
          <host>victoria.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>windsor.logs.roku.com</domain>
          <host>windsor.logs.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>wwwimg.roku.com</domain>
          <host>wwwimg.roku.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</domain>
          <host>amoeba-layers-prod.us-east-1.elasticbeanstalk.com</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>d2n3pv3l9r5wp5.cloudfront.net</domain>
          <host>d2n3pv3l9r5wp5.cloudfront.net</host>
        </item>
        <item>
          <description>Block Roku IPV6</description>
          <domain>dc7eeru7ckgwe.cloudfront.net</domain>
          <host>dc7eeru7ckgwe.cloudfront.net</host>
        </item>
      </aliases>
    </hosts>

Intrusion Detection and Prevention / Intrusion detection is blocking some traffic for no visible reason

« on: October 11, 2021, 04:40:41 pm »

I notice recently that some sites (linode.com and nerdwallet.com for example) are inaccessible from a desktop browser while intrusion detection is enabled. Turn it off, they come right up. From a mobile device on the same network, they come right up. But from a desktop browser with detection enabled, no dice. There is nothing relevant to those connection attempts in the alert log. I've tried to narrow down what ruleset might be responsible by turning off rulesets in groups, and it doesn't look like it matters what rules are active.

Anyone else have this problem?

Hardware and Performance / Mounting SSD in Watchguard XTM5

« on: August 16, 2021, 05:15:02 am »

I know I'm not the only one using EOL Watchguard XTM hardware for my OPNsense firewall. There are a lot of guides out there for how to do it. The Watchguard OS is on a CF card mounted on the system board (!) but there are SATA ports on the board and unused SATA power connectors on the power supply harness, so most people install an SSD.

There are four mounting posts in an unused area of the case, but they don't line up with drive mounting holes. It's like Watchguard intended to offer an SSD or HDD option at some point but never did it. So there is no available bracket to mount the drive. Most people just use foam tape to affix the drive to the case, but I prefer to fabricate a mounting plate, like so:

It's just a piece of thin sheet metal (galvanized flashing, in this case) with holes and cutouts in the necessary places. Works like a charm and prevents having to peel off foam tape if you need to get the drive out later.

Just thought I'd show it in case anyone can use the idea.

21.7 Legacy Series / OPNsense unexplained lagging

« on: August 09, 2021, 08:05:16 pm »

The other day I noticed some internet access slowdowns and logged in to OPNsense to check things. The GUI was extremely slow and blocky drawing up, and subsequently slow to navigate, as if something else was using all the resources. But CPU usage was very low. I suspect whatever was causing it was also behind the slowdowns I was investigating.

It was not totally frozen, so I was able to do an update to the final version of 21.1, which didn't help anything, and then to 21.7.1, which also didn't solve anything.That's a total of three reboots, so "have you tried turning it off and back on again" wasn't helping either. I decided the hardware (Watchguard XTM 5) must be getting flaky and removed it from service for diagnosis.

As an experiment, I wiped the SSD's partition table, did a fresh 21.7.1 install, and applied my backup. Because I believed it to be the hardware, I expected this would not help, but it completely fixed the issue.

What could have gone wrong here? The SSD seems fine; it's relatively new, and passes SMART with no issues. I no longer think the hardware was the issue, and clearly my configuration is not the cause. What could have gone amiss with OPNSense itself that would not have been fixed by a version upgrade and multiple reboots?

Intrusion Detection and Prevention / Turning off rules to allow Google Voice

« on: June 09, 2021, 12:51:35 am »

Recently Google Voice calls from the web interface started failing in the sense that the call would seemingly drop before it was connected, or just after connection. Experimentally I turned off intrusion detection, and that solved it, so I turned on detection again and watched the alerts, identifying a couple of specific rules that were being tripped. Turning them off solved the problem.

However, I foolishly did not note which rules they were, and now I would like to know. Is there any way to identify what rules have been manually turned off most recently?

General Discussion / One more question about DNS over TLS

« on: February 12, 2021, 05:25:21 am »

Does every individual upstream DNS-over-TLS query do a new handshake and authentication? Or is there some amount of persistence to the connection?

General Discussion / How to block upstream DNS to port 53?

« on: February 06, 2021, 04:11:40 am »

To evade my ISP's transparent DNS proxying, I configured Unbound to use upstream DNS-over-TLS on port 853. This mostly works fine, except my logs still show some traffic to 8.8.8.8 on port 53. It appears to be originating from the firewall's own IP. 8.8.8.8 is not configured anywhere in the firewall anymore (I checked this by downloading the config and searching through it, and by logging in using SSH and grepping the /etc/ directory). I do not understand where the firewall is getting 8.8.8.8 and why it wants to keep querying it on port 53. There are no DNS servers specified in Settings > General; I removed them when I configured Unbound DNS-over-TLS.

My next idea was to set up a firewall rule to block outbound port 53. I figured I could do that and see what it breaks. But that's not working because the traffic is being explicitly passed by the automatically generated floating rule "let out anything from firewall host itself (force gw)". Because this is an automatically generated rule, I can't place my manual rule ahead of it, and because it's a floating rule, it gets evaluated before the LAN rules, so placing my manual rule there does no good either.

Any suggestions?

General Discussion / How does Unbound prioritize upstream servers?

« on: January 29, 2021, 05:17:27 pm »

I have Unbound configured with two Cloudflare and two Google upstream DNS-over-TLS servers: 1.1.1.1@853, 1.0.0.1@853, 8.8.8.8@853, and 8.8.4.4@853, in that order.

Watching the logs, it seems to use all four of them, although it favors Cloudflare. How does it choose? Does it select randomly, or is there a logic to it that I'm not seeing?

General Discussion / What was the gibberish in the Unbound "Custom Options" box?

« on: January 28, 2021, 03:15:57 am »

When I configured Unbound for the first time the other day, there was a load of gibberish in the Custom Options box, like this:

(This is not the actual gibberish, just a reasonable approximation.)

What is that? It looks like an SSL key or something. I removed it before activating Unbound and it doesn't seem to have made any difference.

General Discussion / DNS over nonstandard port?

« on: January 26, 2021, 05:06:06 pm »

Is it possible, using either Unbound or Dnsmasq, to proxy DNS to an upstream server using a port other than 53?

My ISP is transparently proxying DNS. Any query on port 53 to any IP is being intercepted. To get around this I'd like to use OpenDNS on their alternate port, 5353. But both Unbound and Dnsmasq use the upstream servers set in System: Settings: General, and I don't see how to specify port 5353. I've tried 208.67.222.222:5353, but it throws an error and won't save.

Could I accomplish this with port forwarding? Set OpenDNS's servers as the only ones in System: Settings: General, and then forward everything that goes out on WAN for 53 to 5353 with a port forwarding rule?

Pages: [1] 2