"Recent posts
#81
25.7, 25.10 Series / Re: "The release type "opnsens...
Last post by LGDL - December 01, 2025, 10:26:47 PMQuote from: franco on December 01, 2025, 02:52:23 PMBecause the installer predates the update?
Thank you, I hadn't noticed that. Also thanks for the link!
#82
General Discussion / Re: referer protection
Last post by Maurice - December 01, 2025, 10:25:35 PMI tend to agree. This seems to be one of those features from the pre-fork era which hasn't been touched ever since.
Since this only is an issue if you link to OPNsense from a different website, this probably never bothered too many users.
Feel welcome to open an issue (or pull request) on GitHub.
Cheers
Maurice
Since this only is an issue if you link to OPNsense from a different website, this probably never bothered too many users.
Feel welcome to open an issue (or pull request) on GitHub.
Cheers
Maurice
#83
General Discussion / Re: Is public-dns.info still a...
Last post by Kets_One - December 01, 2025, 10:20:28 PM@meyergru
I block QUIC totally by blocking all UDP traffic on ports 80 and 443.
I block QUIC totally by blocking all UDP traffic on ports 80 and 443.
#84
General Discussion / Re: Is public-dns.info still a...
Last post by Patrick M. Hausen - December 01, 2025, 10:14:56 PMI am pondering adding the linked "dibdot" IP lists to my global IP based blocklist rules. I'll give it a try, I guess.
For domain based blocking I use AGH and mostly Hagezi's lists.
For domain based blocking I use AGH and mostly Hagezi's lists.
#85
25.7, 25.10 Series / Re: Create local DNS host entr...
Last post by meyergru - December 01, 2025, 09:59:36 PMTake a look at this - maybe you do not want / need "internal" IPv6 at all after reading it.
You are correct: While you can create a dynamic IPv6 firewall alias, you cannot create the same for (internal) DNS. However, you can use the link-local address that is derived from the EUI-64. That is, iff you use SLAAC and not DHCPv6 for IP assigments (which you should).
You can, of course, use dynamic DNS to update by an interface IPv6 prefix and an EUI-64 suffix. Some DDNS service providers allow to keep the suffix, such that OpnSense can update the prefix only.
You are correct: While you can create a dynamic IPv6 firewall alias, you cannot create the same for (internal) DNS. However, you can use the link-local address that is derived from the EUI-64. That is, iff you use SLAAC and not DHCPv6 for IP assigments (which you should).
You can, of course, use dynamic DNS to update by an interface IPv6 prefix and an EUI-64 suffix. Some DDNS service providers allow to keep the suffix, such that OpnSense can update the prefix only.
#86
25.7, 25.10 Series / Create local DNS host entry po...
Last post by cinergi - December 01, 2025, 09:37:42 PMHello,
I'm running OPNsense 2.7.8 with DNSmasq for DHCP and local host name resolution. I'm trying to set a local DNS host entry pointing to the interface's IPv6 address. Since this address is derived from the WAN prefix delegation and could therefore change, I'm hesitant to hard-code the IPv6 address in the DNS host entry. Is there any way to specify "this interface IP address"? When setting custom DHCP options, for example, it's possible to specify [..] for the interface IP which would be perfect in this case, but this doesn't seem to be supported for DNS host entries - only DHCP options.
Thanks!
I'm running OPNsense 2.7.8 with DNSmasq for DHCP and local host name resolution. I'm trying to set a local DNS host entry pointing to the interface's IPv6 address. Since this address is derived from the WAN prefix delegation and could therefore change, I'm hesitant to hard-code the IPv6 address in the DNS host entry. Is there any way to specify "this interface IP address"? When setting custom DHCP options, for example, it's possible to specify [..] for the interface IP which would be perfect in this case, but this doesn't seem to be supported for DNS host entries - only DHCP options.
Thanks!
#87
General Discussion / Re: Is public-dns.info still a...
Last post by meyergru - December 01, 2025, 09:32:43 PMLooking at the list, I am not so sure. When you use an IP list, it might be safe to do so - with a wildcard list, I am unsure.
Take cubedns.com (or ptentially, any DoH service that uses only one dot in their name): they have their website on the same URL (and IP). Then again, by blocking port 443 - which you must, it will not work, anyway. At least, you could send them an E-Mail, I guess ;-)
Cloudflare was savvy enough to use a separate domain for DNS.
It is interesting what you can find when you block these things:
- I found HomeAssistant OS using Cloudflare despite being told to use my internal DNS (there is a trick to disable that: https://kcore.org/2022/08/12/hass-disable-fallback-dns/).
- Also, I caught some of my IoT devices using external NTP services - this included Apple TVs. By redirecting to the local NTP, I could make that go away.
On the other hand, I never trusted those anyway, hence why they are on a separate VLAN.
Take cubedns.com (or ptentially, any DoH service that uses only one dot in their name): they have their website on the same URL (and IP). Then again, by blocking port 443 - which you must, it will not work, anyway. At least, you could send them an E-Mail, I guess ;-)
Cloudflare was savvy enough to use a separate domain for DNS.
It is interesting what you can find when you block these things:
- I found HomeAssistant OS using Cloudflare despite being told to use my internal DNS (there is a trick to disable that: https://kcore.org/2022/08/12/hass-disable-fallback-dns/).
- Also, I caught some of my IoT devices using external NTP services - this included Apple TVs. By redirecting to the local NTP, I could make that go away.
On the other hand, I never trusted those anyway, hence why they are on a separate VLAN.
#88
German - Deutsch / Re: Frage bzgl. Unmanaged Swit...
Last post by Classic89 - December 01, 2025, 09:31:13 PMQuote from: osmom on December 01, 2025, 03:42:11 PMAus deiner Beschreibung ist mir der Sinn des 3 Switches nicht ganz klar. Du kannst doch über den neuen Kabelkanal 2 Leitungen zwischen Opensense und deinem bestehenden Switch legen.
Da dein Powerline laut deiner Beschreibung nach schwach ist, besprich doch mit deinem Hauselektriker ob der Einbau eines Pasekopplers nicht die bessere Investition wäre. z.B. https://shop.allnet.de/ALLNET-ALL16881-Powerline-Phasenkoppler-Signalbruecke-3-Pha/112411
An dem Switch sind dafür nicht mehr genug Ports frei, müsste also eh einen neuen kaufen. Und da beide aktuell im Betrieb befindlichen Switche und auch der WLAN AP PoE fähig sind, war der Gedanke da noch einen PoE-Switch dazwischen zu schalten um sich an den "Endgeräten" zumindest teilweise noch die Netzkabel zu sparen. Gerade beim AP wäre das schon ein großer Vorteil da nur noch ein Kabel hinzuziehen.
#89
General Discussion / Re: Is public-dns.info still a...
Last post by Patrick M. Hausen - December 01, 2025, 09:14:15 PMWhat would be wrong with blocking these IP addresses entirely? Surely no provider of DoT/DoH would be running other vital services on the same servers? Would they? :-)
#90
General Discussion / Re: Is public-dns.info still a...
Last post by meyergru - December 01, 2025, 09:06:43 PMI would use TCP and UDP because of HTTP/3 (QUIC). The list includes IPv6 and also lists mozilla.cloudflare-dns.com.
