Recent posts

#1
26.1 Series / Re: dnsmasq firewall aliases
Last post by dirtyfreebooter - Today at 07:44:42 PM
yea its unfortunate, can't really use it for firewall blocking of domains. domains like tiktok and youtube which have many IPs, you can actually access the site multiple times until you go through all the DNS round robin IPs before it will block it reliably.

ok well thanks for the confirmation. i can at least stop testing this setup :)
#2
You could pursue using Suricata's own rule update/sync mechanism if you wish:

https://www.nova-labs.net/using-suricata-update-on-opnsense/

^ there is only one major deviation, and that is that the custom.yaml file is in a new location and the contents have updated a little... I will update the blog post or make a new one eventually.
#3
26.1 Series / Re: dnsmasq firewall aliases
Last post by Monviech (Cedrik) - Today at 07:37:50 PM
There is a short delay that can let the first request through (request is faster than PF reloads the new table entry).

Same happens with allowing, there is also a delay, so the first request could fail but browsers retry rather quickly.

Its not really a bug per se, just application inter operation (they don't know about each other so why should one of them wait).

It's not perfect but it does it's job for specific requirements (e.g. allowing windows update only domains via wildcards).
#4
26.1 Series / Re: Can Unbound DNSSEC be used...
Last post by muchacha_grande - Today at 07:29:49 PM
Quote from: LemurTech on Today at 07:26:24 PMThat said, I did open a feature request ticket to expose 'harden-below-nxdomain'.

Thank you. In any case, the next time my Internet connection fails I will test this custom option to see if it also solves my issue.
#5
26.1 Series / Re: Can Unbound DNSSEC be used...
Last post by LemurTech - Today at 07:26:24 PM
Quote from: muchacha_grande on Today at 12:42:08 PMI've read your solution, and I wonder if this could be the solution for other problems that I've found people are having https://github.com/opnsense/core/issues/9736
Given that you have researched this in detail, may be it worth to open a ticket at github for asking the developers to add the intended options that had solved this problem.

I'm not sure it's the same issue unless DNSSEC is involved. That said, I did open a feature request ticket to expose 'harden-below-nxdomain'.
#6
26.1 Series / Autoscroll in the update log w...
Last post by vpx23 - Today at 07:23:05 PM
Did anybody notice this problem too?

The log scrolls and then it keeps stuck somewhere but the scrollbar keeps getting smaller.

When the update is finished it jumps to the end, but it isn't constantly smooth scrolling as it used to be.

I don't remember when this issue exactly appeared but it must have been in 25.7.

I can not exclude that my browser is the cause, I'm using LibreWolf with uBlock Origin and CanvasBlocker.

CanvasBlocker shows that it blocked a domRect, I will disable it on the next update and check if it solves the issue.

There aren't any popups in OPNsense so I doubt it is caused by uBlock Origin. My current version is OPNsense 26.1.2_5-amd64.
#7
26.1 Series / dnsmasq firewall aliases
Last post by dirtyfreebooter - Today at 07:22:15 PM
i was testing out dnsmasq firewall aliases. specifically attempting to block youtube. i setup dnsmasq as the primary DNS with unbound on forwarder on port 53053.




i am not sure i need query servers sequentially or not? documentation is unclear.

then i attempt to access youtube.
curl https://youtube.com
watching the firewall alias, i see it updated.


but the original curl request works. if i then try and access it again, its blocked. it seems like dnsmasq does not update the firewall alias synchronously, so the client is able to see the dns resolution before the alias is updated and retrieve the web page. is this a bug? or intended behavior?
#8
The Q-Feeds domain blocklist is now visible in the DNSCrypt-Proxy DNSBL.

You cannot view this attachment.

Am I good with just checking it in DNSCrypt-Proxy or do I also have to check the "Register domain feeds" checkbox in Q-Feeds Connect?

I'm just asking because the description only mentions the "Unbound DNS blocklist" so I'm not sure if it is exclusively for Unbound or you just forgot to change the description?
#9
Quote from: Greg_E on Today at 05:02:49 PMJealous of your 10g connections.
You only have to move to Switzerland, in an area where Init7 is providing fiber. Then you could even get 25 Gbit/s for the same price and you'll get a fixed /48 IPv6 prefix and a not-fixed-but-never-changing IPv4.

25 Gbit/s was too over the top for me :).
#10
German - Deutsch / Re: Zwei Baustellen ISC->KEA /...
Last post by 0zzy - Today at 07:12:12 PM
Oh das ist zum Mäusemelken....

Was ich hin bekomme:
Firewall von alt zu new --> check
isc -> kea check

Alles funktioniert bis auf der AP. Leckofatzi!

Lustigerweise habe ich alles ex und wieder importiert, danach kommt etwas lustiges zustande:

Ich bekomme an WIFI Clients ein lease -> yiaaay
Aber im unifi-control server und via ping keine Verbindung zum UFO U6+

Setze ich alles per snapshot zurück funktioniert alles wie gewohnt.

Der unterschied:

ISC einmal WIFIMGMT auf opt 1 GW: 192.168.12.252/29 AP hat die IP 192.168.12.2
ISC WIFI vlan0.20 GW: 192.168.13.252/24 -> da bekommen die clients dann wifi

In Kea alles händisch eingetragen, rein ne va plus!

Nach Recherche brauche ich wohl die Möglichkeit die option 43 zu vergeben weil der AP sonst blind ist.
Ich hab es per Unbound DNS override probiert, nope will einfach nicht.

Ich gebs für heute auf... Ratschläge / Erklärung sehr willkommen.