Topics

Does anyone know how to detect and alert on DNS all types of record change for domain.
I have name server in DMZ and ptr records are created for published services like email, ftp, web.
I manage and control my NS, ISP is authoritative for IPs allocated, but someone in the world creating PTR records identical to my domain published services.
e.g. 123.123.123..123 pointing to my ftp.mydomain.com
I want to monitor and get alerted if there is unauthorized record created for mydomain.com
I don't have control on malicious threat actors, but at least if i get alerted i could report to take down such records.

Is there any Opnsense plugin to monitor or any external services to subscribe.

Thanks

I need some help in moving from AdGuard Home installed via Opnsense plugin to new private beta AdGuard DNS
As per the AdGuard DNS beta, requires to add AdGuard DNS servers plain and DoT in devices like router,windows pc,etc..
I have already running AdGuardHome plugin with Unbound works fine.
But want to try the new AdGuard DNS beta
So i need to uncheck AdGuardhome from services to stop the service
I'm not sure what setting to change in Unbound and whether i need to stop unbound services.
In General i think i need to add AdGuard DNS servers 94.140.14.49 ,94.140.14.59, but not sure how to add AdGuard DoT Server tls://device_identifier.d.adguard-dns.com in Opnsense.
Unbound accepts only IPs in DoT settings.

Instead of running and processing DoT from Opnsense i wan to try from AdGuard externally

Any guide or further comments would be appreciated

I'm seeing many unknown mac addresses in DHCP IPv4 lease.
Hostname is same but 2 different IP addresses and mac addresses.

I'm trying to find from where the unknown mac address is logged
In Windows Random mac address assignment is disabled.
Even Android host shows mac address shows same first 6 digits 02:0c:43

Can anyone help to resolve this issue

log file entry of windows host
xx:xx:72:b0:da:5b is actual mac address
02:0c:43:b0:da:5b this is unknown

2022-01-30T11:40:44   dhcpd[27070]   DHCPACK on 192.168.10.99 to xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPREQUEST for 192.168.10.99 (192.168.10.254) from xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPOFFER on 192.168.10.99 to xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPDISCOVER from xx:xx:72:b0:da:5b (Laptop) via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPNAK on 192.168.10.31 to xx:xx:72:b0:da:5b via igb2
2022-01-30T11:40:44   dhcpd[27070]   DHCPREQUEST for 192.168.10.31 from xx:xx:72:b0:da:5b via igb2: lease 192.168.10.31 unavailable.
2022-01-30T11:34:12   dhcpd[27070]   DHCPACK on 192.168.10.31 to 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:12   dhcpd[27070]   Wrote 75 leases to leases file.
2022-01-30T11:34:12   dhcpd[27070]   DHCPREQUEST for 192.168.10.31 (192.168.10.254) from 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPOFFER on 192.168.10.31 to 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPDISCOVER from 02:0c:43:b0:da:5b (Laptop)  via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPNAK on 192.168.10.99 to 02:0c:43:b0:da:5b via igb2
2022-01-30T11:34:11   dhcpd[27070]   DHCPREQUEST for 192.168.10.99 from 02:0c:43:b0:da:5b via igb2: lease 192.168.10.99 unavailable.

I'm getting lost in forum by searching for how should be DNS configured for the first time Opnsense is up and running.
If Unbound plugin is installed then what should be the correct configuration in Opnsense and Unbound.
I have ISP router with CGNAT
Opnsense WAN port (igb1) is set to DHCP
Opnsense LAN port (igb0) is only used for managing Opnsense (SSH,GUI,etc)
Opnsense (igb2) Wifi port is connected to Wifi-Router/AP- Here Opnsense leases IPv4 addresses to wifi clients

With this setup,
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
3. Should enforce safe search
4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)

I'm not sure what is the correct configuration if i want to use only Opnsense with my ISP router as DNS
What is the correct configuration if i want to use Opnsense + Unbound Plugin with DNS filtering.

I have read many post and tutorials its all confusing with DNS configuration.
I'm trying AdGuard that is not working as given in few tutorials and forum member's working setups.

Anyone could point to right direction would be appreciated.

I'm running AdGuardHome recently with Unbound
Seems there is slowness in DNS requests.
Everyday processing time is above 250ms(attached screen print)
I see some errors(attached), it started after enabling encryption, not sure what network error.
Although all settings under Encryption and certs are ok with no errors on GUI.
How to reduce DNS query average processing time?
Where are the logs to see error generated

Also nslookup error for parental_block_host and safebrowsing_block_host
DNS timeout occurs if I enable either of these
-Security web service
-Parental control

>nslookup
Default Server:  UnKnown
Address:  192.168.10.254

> family-block.dns.adguard.com
Server:  UnKnown
Address:  192.168.10.254

*** UnKnown can't find family-block.dns.adguard.com: Non-existent domain
> family-block.dns.adguard.com
Server:  UnKnown
Address:  192.168.10.254

*** UnKnown can't find family-block.dns.adguard.com: Non-existent domain

Request for community assistance

I have installed AdGuard with Unbound enabled.

In AdGuard-General Settings, 

Use AdGuard browsing security web service

Use AdGuard parental  control web service

single or both enabled, clients get DNS time out.

Under DNS settings - Upstream DNS servers are added IPs of Opnsese LAN and Wifi Interfaces and loopback:5353

Encryption settings not enabled so far

How to remove or add listening interfaces that were added during initial setup.

anyone can help to resolve this issue.

I have 5G router with 1Gbps Internet speed, with LAN directly connected to 5G router internet speed is between 800-950Mbps. If test is performed through LAN port of Opnsense max speed i could get is around 101Mbps(Down) and 109Mbps(up).
5G router and Opnsense are connected via L2 Managed Switch.
Additionally, i have 2nd ISP fiber with 100Mbps speed.
Configured Load Balancing with MultiWan (no improvement in speed)
IPS = Not enabled
Unbound = Enabled

Currently, i could see in GW status 5GWAN is offline. Not sure why its offline. Attached status screen print.

Need help to fix the issue

Thanks

Top output below
root@fwsoho:~ # uname -rv
12.1-RELEASE-p19-HBSD FreeBSD 12.1-RELEASE-p19-HBSD #0  0c59842367b(stable/21.1)       -dirty: Mon Jul  5 15:08:43 CEST 2021     root@sensey:/usr/obj/usr/src/amd64.amd       64/sys/SMP
root@fwsoho:~ # top
last pid: 72660;  load averages:  1.32,  1.27,  1.21    up 0+15:35:43  12:15:23
65 processes:  65 sleeping
CPU:  0.6% user,  0.6% nice,  0.6% system,  0.6% interrupt, 97.4% idle
Mem: 382M Active, 4165M Inact, 888M Wired, 442M Buf, 2662M Free
Swap: 8192M Total, 8192M Free

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
36111 ntopng       64  20    0   472M   417M nanslp   1 249:30   3.42% ntopng
31535 root          1  20    0  1042M  8808K select   3   0:00   0.12% sshd
24200 netdata      21  52   19   138M    90M pause    2  12:26   0.08% netdata
75407 root          3  20    0  1057M    11M select   3   1:16   0.06% zerotier
81930 redis         4  20    0    21M  5580K kqread   0   1:57   0.05% redis-se
49567 root          1  20    0    30M    20M select   2 150:15   0.02% python3.
63461 netdata       4  39   19    62M    42M select   3  11:26   0.00% python3.
74409 root          1  20    0  1036M  3400K select   0   5:36   0.00% syslogd
25853 root          4  20    0    33M    11M kqread   2   3:20   0.00% syslog-n
47093 squid         1  20    0  1379M   222M kqread   1   1:48   0.00% squid
  529 root          1  52    0    57M    35M accept   2   1:08   0.00% python3.
37595 unbound       4  20    0   188M   159M kqread   1   0:47   0.00% unbound
78210 netdata       1  39   19    18M  7476K nanslp   3   0:29   0.00% apps.plu
31851 root          1  20    0    20M    11M select   2   0:11   0.00% python3.
49678 root          1  20    0    21M    11M select   3   0:10   0.00% python3.
23439 root          1  52    0    52M    32M accept   2   0:09   0.00% php-cgi
67667 root          1  52    0    50M    30M accept   0   0:08   0.00% php-cgi

I'm testing Full Tunnel by allowing default route in ZT network to route all my external devices internet traffic via Opnsense zt interface. Internet works well by using Google DNS
0.0.0.0/0 via 192.168.194.250

But as soon as i enable Firewall rule and NAT Port forwarding
ZeroTier   TCP/UDP   *   *   ! ZeroTier address   53 (DNS)   127.0.0.1   53 (DNS)   Redirtect DNS to Local

Internet either slow downs or web page not reachable.
In fact i want stop using all other DNS, except Unbound for ZT

For internal network all works well.

Currently tested with IOS device with latest ZT 1.6.1

Anyone can assist to fine tune the configuration in Unbound or NAT or FW rules.

I'm facing Unbound service issue. Multiple time unbound stops.
tried to start from GUI no success
Did tried to start from shell /usr/local/sbin # pluginctl -s unbound start

In logs shows
2020-11-14T20:12:16   unbound[75749]   [75749:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
2020-11-14T20:12:12   unbound[75749]   [75749:0] notice: Restart of unbound 1.12.0.
2020-11-14T20:12:12   unbound[75749]   [75749:0] debug: cache memory msg=263192 rrset=263192 infra=10866 val=787453

After upgrading Opnsense to 20.7 ntopng geoip showing authentication error while trying to get geoip
Tried with new key still fails to download

/usr/local/bin # ntopng-geoip2update.sh
Fetching GeoLite2-City
SSL certificate subject doesn't match host download.maxmind.com
fetch: https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz: Authentication error
geoip_download?edition_id=GeoLite2-City&license_key=MYKEY&suffix=tar.gz download failed

Anything changed or anyone has direction to fix this?

I have installed Dnscrypt-proxy2: plugin with following version
OPNsense 20.1.3-amd64
os-dnscrypt-proxy: 1.7_1 [OPNsense]
dnscrypt-proxy2: 2.0.39 [OPNsense]

Looking to add custom domain e.g. to blacklist.txt file in /usr/local/etc/dnscrypt-proxy directory
*.tv
*.xyz
It looks that this blacklist.txt file not accept any manual entries, as after some time it rollbacks to the original.
So how can additional domains and IP address or add github links to download could be added as custom blacklist

Also i could not see any Blacklist tab as such in Opnsense - Dnscrypty-Proxy under services


looking to hear for some directions

Thanks