How to block upstream DNS to port 53?

[dwasifar]

To evade my ISP's transparent DNS proxying, I configured Unbound to use upstream DNS-over-TLS on port 853.  This mostly works fine, except my logs still show some traffic to 8.8.8.8 on port 53.  It appears to be originating from the firewall's own IP.  8.8.8.8 is not configured anywhere in the firewall anymore (I checked this by downloading the config and searching through it, and by logging in using SSH and grepping the /etc/ directory).  I do not understand where the firewall is getting 8.8.8.8 and why it wants to keep querying it on port 53.  There are no DNS servers specified in Settings > General; I removed them when I configured Unbound DNS-over-TLS. 

My next idea was to set up a firewall rule to block outbound port 53.  I figured I could do that and see what it breaks.  But that's not working because the traffic is being explicitly passed by the automatically generated floating rule "let out anything from firewall host itself (force gw)".  Because this is an automatically generated rule, I can't place my manual rule ahead of it, and because it's a floating rule, it gets evaluated before the LAN rules, so placing my manual rule there does no good either.

Any suggestions?

[d3pr3cat3d]

https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/#allow-dns-requests-to-only-be-resolved-by-opnsense-and-not-by-external-dns-servers

https://homenetworkguy.com/how-to/configure-opnsense-firewall-rules/

[dwasifar]

Yes, I found those already, but that's not the issue.  Unbound is configured correctly and is successfully proxying DNS requests on port 53 to my configured upstream DNS-over-TLS servers.  But I have this mystery traffic also going to 8.8.8.8:53, apparently from OPNsense itself, even though 8.8.8.8 is not configured anywhere.

Look. Here's my Unbound general configuration:



Note at the bottom it says it will use the servers configured in System: General for upstream, or whatever it gets from upstream DHCP/PPP if that is checked.  So here is System: General:



Note no DNS servers are specified here, and the box to allow it to pick up DNS from DHCP/PPP is unchecked.

Meanwhile I have Unbound's upstream DNS-over-TLS servers configured under Miscellaneous:



Note that 8.8.8.8 is not among them. 

If I download the entire config to a backup file and search it for 8.8.8.8, I get no results:



So 8.8.8.8 is not configured anywhere, yet OPNsense is still trying to reach it:



It's passing because of the rule "let out anything from firewall host itself (force gw)," so I know it's OPNsense generating this traffic.  This rule is an automatically generated floating rule:



Note my custom rule to block outbound port 53 right below it.  But my custom rule doesn't do any good, because the automatically generated rule is executed first and passes the traffic, and I can't put the custom rule ahead of the automatically generated rules.

Does that make the problem clearer?

[allebone]

You have not configured unbound in forwarding mode so it would be expected that the firewall will query many different dns servers as it has to run in authoritative resolver mode. If you want to force it to only query a dingle dns server then tick forwarding mode.

Also do you have any outbound nat rules? Also block port 53 on lan interface except for the pc’s you want.

P

[dwasifar]

I do have an outbound rule blocking outbound 53 on LAN, but again, because the floating rules are applied before any other rules, the traffic is allowed out in spite of that rule.

My understanding is that if you want Unbound to ONLY use DNS over TLS, you do not check the forwarding mode box, because that causes it to forward the traffic to the upstream servers listed in System: General Setup on port 53, as opposed to using the DNS-over-TLS servers configured on the Miscellaneous page.  And once again: Unbound is successfully using those upstream servers.  That is not the problem.  The problem is this stray additional traffic from the firewall itself, to 8.8.8.8.

The big question is, where is it getting 8.8.8.8 when that server is not configured anywhere in OPNsense's setup?

[allebone]

Show outbound nat rule page.

[Maurice]

The default "let out anything" rule is a 'last match' rule, meaning it only applies if no other rule matches. Your custom rule doesn't match because you set the destination to 'WAN net'. The Google DNS servers are not in the WAN net. To block outgoing DNS requests to all servers, the destination must be 'any'.

By the way, "let out anything from firewall host itself" matching doesn't mean that the DNS request was made by OPNsense itself. These requests most likely originate from a device in the LAN. Some IoT devices ignore the DNS servers advertised by DHCP and just use Google DNS instead.
So it might be better to create a firewall rule on the LAN interface which blocks incoming connections to port 53 if the destination is not the LAN interface address.

[hushcoden]

To evade my ISP's transparent DNS proxying, I configured Unbound to use upstream DNS-over-TLS on port 853.  This mostly works fine, except my logs still show some traffic to 8.8.8.8 on port 53.  It appears to be originating from the firewall's own IP.  8.8.8.8 is not configured anywhere in the firewall anymore (I checked this by downloading the config and searching through it, and by logging in using SSH and grepping the /etc/ directory).  I do not understand where the firewall is getting 8.8.8.8 and why it wants to keep querying it on port 53.  There are no DNS servers specified in Settings > General; I removed them when I configured Unbound DNS-over-TLS.

Any suggestions?

Are you using, by any chance, a DrayTek Vigor 166 ? I am, and although it's in bridge mode, it has the Google DNS server in the firmware somewhere and it pings 8.8.8.8 every minute or so... 

[dwasifar]

By the way, "let out anything from firewall host itself" matching doesn't mean that the DNS request was made by OPNsense itself. These requests most likely originate from a device in the LAN. Some IoT devices ignore the DNS servers advertised by DHCP and just use Google DNS instead.

Aha.  That makes sense.  I was interpreting it as coming from the firewall, because when I did a commandline DNS query from one of my servers, the log line showed the public IP of the server, not of the firewall.  So this made me think the log lines would show the IP of the machine making the query.  But that server is NAT'ed to its public static IP.  When I did a similar query from my laptop, which has no NAT and gets its IP from DHCP, the resulting log line showed it coming from the firewall's IP.  So you're probably right that it's an IoT device.  My bet is on the Roku.

So it might be better to create a firewall rule on the LAN interface which blocks incoming connections to port 53 if the destination is not the LAN interface address.

At your suggestion I set up a LAN rule:



This seems to be successfully blocking port 53 requests to upstream but still allowing requests to the firewall, just as you said.  Now let's see what breaks.

Are you using, by any chance, a DrayTek Vigor 166 ? I am, and although it's in bridge mode, it has the Google DNS server in the firmware somewhere and it pings 8.8.8.8 every minute or so... 

No, it's a Watchguard XTM 5 series.  That's gotta be frustrating for you.

[dwasifar]

Well, it was not the Roku, and I actually have not seen anything IoT break anywhere on the network.  Garage door, washer and dryer, Echo dots, thermostats, refrigerator, all apparently still communicating.  So I don't know what device was using 8.8.8.8, but it's been stopped.

Thanks to all who replied.

[miroco]

Have you checked so it's not dpinger causing a false positive?

https://github.com/dennypage/dpinger



miroco