"Recent posts
#21
25.7, 25.10 Series / Re: Create local DNS host entr...
Last post by meyergru - December 01, 2025, 09:59:36 PMTake a look at this - maybe you do not want / need "internal" IPv6 at all after reading it.
You are correct: While you can create a dynamic IPv6 firewall alias, you cannot create the same for (internal) DNS. However, you can use the link-local address that is derived from the EUI-64. That is, iff you use SLAAC and not DHCPv6 for IP assigments (which you should).
You can, of course, use dynamic DNS to update by an interface IPv6 prefix and an EUI-64 suffix. Some DDNS service providers allow to keep the suffix, such that OpnSense can update the prefix only.
You are correct: While you can create a dynamic IPv6 firewall alias, you cannot create the same for (internal) DNS. However, you can use the link-local address that is derived from the EUI-64. That is, iff you use SLAAC and not DHCPv6 for IP assigments (which you should).
You can, of course, use dynamic DNS to update by an interface IPv6 prefix and an EUI-64 suffix. Some DDNS service providers allow to keep the suffix, such that OpnSense can update the prefix only.
#22
25.7, 25.10 Series / Create local DNS host entry po...
Last post by cinergi - December 01, 2025, 09:37:42 PMHello,
I'm running OPNsense 2.7.8 with DNSmasq for DHCP and local host name resolution. I'm trying to set a local DNS host entry pointing to the interface's IPv6 address. Since this address is derived from the WAN prefix delegation and could therefore change, I'm hesitant to hard-code the IPv6 address in the DNS host entry. Is there any way to specify "this interface IP address"? When setting custom DHCP options, for example, it's possible to specify [..] for the interface IP which would be perfect in this case, but this doesn't seem to be supported for DNS host entries - only DHCP options.
Thanks!
I'm running OPNsense 2.7.8 with DNSmasq for DHCP and local host name resolution. I'm trying to set a local DNS host entry pointing to the interface's IPv6 address. Since this address is derived from the WAN prefix delegation and could therefore change, I'm hesitant to hard-code the IPv6 address in the DNS host entry. Is there any way to specify "this interface IP address"? When setting custom DHCP options, for example, it's possible to specify [..] for the interface IP which would be perfect in this case, but this doesn't seem to be supported for DNS host entries - only DHCP options.
Thanks!
#23
General Discussion / Re: Is public-dns.info still a...
Last post by meyergru - December 01, 2025, 09:32:43 PMLooking at the list, I am not so sure. When you use an IP list, it might be safe to do so - with a wildcard list, I am unsure.
Take cubedns.com (or ptentially, any DoH service that uses only one dot in their name): they have their website on the same URL (and IP). Then again, by blocking port 443 - which you must, it will not work, anyway. At least, you could send them an E-Mail, I guess ;-)
Cloudflare was savvy enough to use a separate domain for DNS.
It is interesting what you can find when you block these things:
- I found HomeAssistant OS using Cloudflare despite being told to use my internal DNS (there is a trick to disable that: https://kcore.org/2022/08/12/hass-disable-fallback-dns/).
- Also, I caught some of my IoT devices using external NTP services - this included Apple TVs. By redirecting to the local NTP, I could make that go away.
On the other hand, I never trusted those anyway, hence why they are on a separate VLAN.
Take cubedns.com (or ptentially, any DoH service that uses only one dot in their name): they have their website on the same URL (and IP). Then again, by blocking port 443 - which you must, it will not work, anyway. At least, you could send them an E-Mail, I guess ;-)
Cloudflare was savvy enough to use a separate domain for DNS.
It is interesting what you can find when you block these things:
- I found HomeAssistant OS using Cloudflare despite being told to use my internal DNS (there is a trick to disable that: https://kcore.org/2022/08/12/hass-disable-fallback-dns/).
- Also, I caught some of my IoT devices using external NTP services - this included Apple TVs. By redirecting to the local NTP, I could make that go away.
On the other hand, I never trusted those anyway, hence why they are on a separate VLAN.
#24
German - Deutsch / Re: Frage bzgl. Unmanaged Swit...
Last post by Classic89 - December 01, 2025, 09:31:13 PMQuote from: osmom on December 01, 2025, 03:42:11 PMAus deiner Beschreibung ist mir der Sinn des 3 Switches nicht ganz klar. Du kannst doch über den neuen Kabelkanal 2 Leitungen zwischen Opensense und deinem bestehenden Switch legen.
Da dein Powerline laut deiner Beschreibung nach schwach ist, besprich doch mit deinem Hauselektriker ob der Einbau eines Pasekopplers nicht die bessere Investition wäre. z.B. https://shop.allnet.de/ALLNET-ALL16881-Powerline-Phasenkoppler-Signalbruecke-3-Pha/112411
An dem Switch sind dafür nicht mehr genug Ports frei, müsste also eh einen neuen kaufen. Und da beide aktuell im Betrieb befindlichen Switche und auch der WLAN AP PoE fähig sind, war der Gedanke da noch einen PoE-Switch dazwischen zu schalten um sich an den "Endgeräten" zumindest teilweise noch die Netzkabel zu sparen. Gerade beim AP wäre das schon ein großer Vorteil da nur noch ein Kabel hinzuziehen.
#25
General Discussion / Re: Is public-dns.info still a...
Last post by Patrick M. Hausen - December 01, 2025, 09:14:15 PMWhat would be wrong with blocking these IP addresses entirely? Surely no provider of DoT/DoH would be running other vital services on the same servers? Would they? :-)
#26
General Discussion / Re: Is public-dns.info still a...
Last post by meyergru - December 01, 2025, 09:06:43 PMI would use TCP and UDP because of HTTP/3 (QUIC). The list includes IPv6 and also lists mozilla.cloudflare-dns.com.
#27
General Discussion / Re: Is public-dns.info still a...
Last post by Kets_One - December 01, 2025, 08:49:07 PMThis is indeed a maintained source of DoH servers i use as well.
You also could add this rule to apply to TCP traffic on these ports only, since DoH uses TCP.
You also could add this rule to apply to TCP traffic on these ports only, since DoH uses TCP.
#28
25.7, 25.10 Series / Re: Traffic from unassigned su...
Last post by Kets_One - December 01, 2025, 08:25:00 PMThanks for the suggestion.
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.
Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.
Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.
Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.
Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...
#29
General Discussion / Re: Is public-dns.info still a...
Last post by meyergru - December 01, 2025, 08:24:51 PMSo, now I got a current list: https://github.com/dibdot/DoH-IP-blocklists
You can use it like so to block DoH requests going outside:
1. Create two "URL table in JSON format (IP)" type aliases with a refresh time of ~ one day and ".[]" as the JSON path expression:
DoH_IPv4 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.json"
DoH_IPv6 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.json"
plus a "Ports" type alias - because some DoH services are offered on alternate ports as well:
DoH_Ports with content "53 80 443 453 853 8053".
2. Create one inbound block floating rule for IPv4 on your LAN interfaces using DoH_IPv4 and one for IPv6 using DoH_IPv6, both with the target port alias DoH_Ports and for TCP/UDP. These rules should apply to whatever interface(s) you want to block DoH on.
You can check effectiveness by using DoH in your browser, which should fail after a timeout.
You can use it like so to block DoH requests going outside:
1. Create two "URL table in JSON format (IP)" type aliases with a refresh time of ~ one day and ".[]" as the JSON path expression:
DoH_IPv4 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.json"
DoH_IPv6 with content "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.json"
plus a "Ports" type alias - because some DoH services are offered on alternate ports as well:
DoH_Ports with content "53 80 443 453 853 8053".
2. Create one inbound block floating rule for IPv4 on your LAN interfaces using DoH_IPv4 and one for IPv6 using DoH_IPv6, both with the target port alias DoH_Ports and for TCP/UDP. These rules should apply to whatever interface(s) you want to block DoH on.
You can check effectiveness by using DoH in your browser, which should fail after a timeout.
#30
Hardware and Performance / Re: Any tips or gotchas with S...
Last post by pfry - December 01, 2025, 08:24:44 PMQuote from: Greg_E on December 01, 2025, 03:12:02 PM[...]I may need to buy a few more 2.5g transceivers[...]
I'd dig into the reviews/fora for experiences with individual products. Good luck.
