Messages

Thank you.

I setup a windows dns server and unbound to test on opnsense. I also had an issue until I found this option here :

Once I set to be able to forward queries out of the lan interface my opnsense running unbound could resolve ptr records for me by forwarding the query to the windows dns server and querying the ptr records.

Please double check your config as I believe I have confirmed it can work.

Pete

Hi @andrema2

Please read this document and in particular try the CPU optimisation and report back. Please specify how you added the optimisations in detail.

https://nlnetlabs.nl/documentation/unbound/howto-optimise/

Kind regards.

Hi,

I did not hear back regarding this. Please can you do the steps like the below screenshot against the dns server that you expect the ptr records to be held and let me know.

Example commands to type highlighted in yellow, expected answer example in red.

Kind regards,
P

Just an update to this I have managed to locate the app that does this on the ipad. Its TikTok - I guess to a 10 year old youtube/tiktok is the same thing basically. It looks like it does DOH by default and cant be changed so it will simply attempt to connect out and bypass any dns filtering you have in place.

I have noticed on my firewall that today when one of my kids were playing on their ipads, (apparently watching youtube in safari - was not able to confirm this for sure but he is only 10 years old) that in my firewall logs, attempts to 8.8.8.8 from the Ipad over port 443 was attempted in bursts of 3 packets, then a delay of a few seconds, and then another burst of traffic etc multiple times for about 2 minutes.

Currently my firewall blocks traffic to known public DNS servers, so this was prevented and flagged on my firewall. I would imagine a DOH query occurred in an attempt to bypass by DNS filtering I use on my internal network at home. Is it possible that accessing youtube via safari could have done this, and that a webpage or advert attempted to bypass my DNS servers in order to circumvent the ad blocking I use? Or do you think something else caused this?

Kind regards
Peter

I have also tried, but not working. Still showing (reverse) IPs and a lot of PTR requests.

Are you saying you now see ptr requests from inbound now, on your dns server (pihole).

If so then unbound was correctly configured. If pihole does not reply with the correct reverse record answer then you must explain why pihole is unable to give the answer to the dns query when requested. This is similar to my post above asking that you check pihole can actually do this.

Please can you show me how you have tested that your dns server (pihole?) you are using in the override setting of unbound is able to reply with a ptr record? Eg: a screenshot from a client using nslookup against the dns server where the ptr records reside showing it give an authoritative answer to a requested ptr record.

I havent tested this but I believe you would go to overrides and then add a domain override.

The domain to add would be something like:
1.168.192.in-addr.arpa

(this would specify 192.168.1.x)

and in the IP section you would put the DNS server for unbound to query eg: 192.168.1.20 (assuming that is IP of DNS server).

I would say that if you do this you should take care to ensure the firewall does not answer DNS queries to anyone other than on the local LAN or it would be possible to fingerprint devices behind your network and perform a nat pinning attack. You can ensure this is the case by making sure only LAN is selected for unbound to run on and ensuring 53 is not open on your firewall.

Thank you.

Hi,

When creating a NAT rule in OpnSense you can select things like, LAN net (ie the /24 network for lan for example in my case) or LAN address (ie the IP address of OpnSense on the LAN interface).

One definition I am unsure of is the option 'This Firewall'.

What address or range of addresses is this? If I am choosing a destination address of 'this firewall' where is it going? Or If I choose a source address of 'This Firewall' what Ip's are included in this definition.

I tried looking it up in the documentation but could not find an answer. Thank you in advance.

Pete

I guess I'm after a next-gen firewall and for almost free :)

Like allebone I pay for a Monthly Sensei sub and donate to OPNsense as I think the total package is amazing and easily worth these costs.
This solution covers my home setup which is relatively complicated as I work in IT and it changes on almost a daily basis... so the easy configuration and ability to adapt to my needs is excellent.
Ideally I would have modern Cyber Sec from my firewall including IPS (not IDS) and application-level inspection. Most users can now get this when using OPNsense with Sensei and Suricata, Hopefully netmap support will come for PPPoE for us other users :)

Any info on progress of this and how we can help if needed is what we are after.

@Franco I think you have answered this now as its basically unknown, not a priority currently and in the hands of the FreeBSD netmap Gods.

https://forum.opnsense.org/index.php?topic=17363.msg92433#msg92433

Hi @allebone,

tun(4) support is now in 20.7.4. It seems it's not working as expected for PPPoE. We're on it.

Thank you :)

@bunchofreeds

For those who

• are using Suricata/Sensei on VLANs on em(4)
• experiencing vmx crash
• experiencing vtnet crash
• want to have Suricata on PPPoE / OpenVPN interfaces

I have an (unofficial) test kernel ready. Please PM me if you'd like to give it a try.

PS: vmx patch fixes the kernel crash, but has an outstanding issue. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248494

Hi there is it still possible to get/test suricata with PPPoE WAN?

How is the number of users measured that need it? I need it but have never let anyone know that I need it, and dont even know how. In addition, if its not possible, and people revert to workarounds, does that count as a "dont need it" because they were forced to use a workaround? Not moaning, just trying to understand as I signed up to a monthly sensei home package but guess I will have to cancel it and just wait until either I can run it on the same interface (LAN) or until it can be used on PPPoE. Im also not clear if this is years away or just a few months, one of these options.

If PPPoE is not supported for suricata on WAN... how do I enable both suricata and sensei? Sensei says it cant run on same interface as suricata, and it must run on LAN, so I put it there... but where do i put suricata then? Anyone know what to do in this situation?