DNSCrypt-proxy acting weird with OPNSense

Started by Giant850, April 13, 2021, 01:53:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 13, 2021, 01:53:05 AM
I've been running DNSCrypt-proxy on a RPi for 2+ years without issue, and is working great. However, I'm trying to migrate that functionality into OPNSense. My configured upstream resolver is NextDNS.io, and I have a SDNS stamp from them. I also disabled unbound on OPNSense, and have dnscrypt-proxy listing on port 53.

I setup OPNSense dnscrypt-proxy with my NextDNS stamp, and put that server in the server list. However, what is NOT working well are NextDNS blocks, which should return 0.0.0.0. If I login to my OPNSense instance and run:

dnscrypt-proxy -resolve app-measurement.com

I get a valid IP:

Code Select
Resolving [app-measurement.com] using 10.13.2.1 port 53

Resolver      : 45.32.79.76 (dns.nextdns.io.)
Lying         : no
DNSSEC        : yes, the resolver supports DNSSEC

Canonical name: app-measurement.com.

IPv4 addresses: 172.217.14.110
IPv6 addresses: 2607:f8b0:4007:80e::200e

Name servers  : ns4.google.com., ns2.google.com., ns1.google.com., ns3.google.com.
DNSSEC signed : no
Mail servers  : no mail servers found

HTTPS alias   : -
HTTPS info    : -

Host info     : -
TXT records   : v=spf1 -all

As you can see, it appears to first hit the dns.nextdns.io server, but somehow it appears to also be using Google name servers and thus gets back a valid ip. However, when I run the EXACT same dnscrypt-proxy resolve command on my RPi, I see:

Code Select
pi@raspberrypi1:/opt/dnscrypt-proxy $ ./dnscrypt-proxy -resolve app-measurement.com
Resolving [app-measurement.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: app-measurement.com.
IP addresses:   0.0.0.0, ::
TXT records:    -
Resolver IP:    45.32.79.76 (dns.nextdns.io.)

Which obvious IS working, since I got back 0.0.0.0.

I'm baffled why the OPNSense dnscrypt-proxy instance is resolving the hostname and apparently hitting google servers as well. Any ideas?

April 13, 2021, 06:13:56 AM #1
dig you try with dig and your local instance and check the dnscrypt logs?
April 13, 2021, 05:49:38 PM #2
I used Drill on OPNSense and got this:

Code Select
root@OPNsense:/usr/local/etc/dnscrypt-proxy # drill c.bing.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 40401
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; c.bing.com. IN A

;; ANSWER SECTION:
c.bing.com. 21598 IN CNAME c-bing-com.a-0001.a-msedge.net.
c-bing-com.a-0001.a-msedge.net. 58 IN CNAME dual-a-0001.a-msedge.net.
dual-a-0001.a-msedge.net. 58 IN A 13.107.21.200
dual-a-0001.a-msedge.net. 58 IN A 204.79.197.200

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 9 msec
;; SERVER: 1.1.1.1
;; WHEN: Tue Apr 13 08:42:17 2021
;; MSG SIZE  rcvd: 130

What is interesting is that the server response is from 1.1.1.1. DNSCrypt-Proxy isn't configured to use 1.1.1.1, however I DO have 1.1.1.1 configured in OPNSense under System/Setting/General. I did this, because if I left all those DNS server entries empty then wireguard would not properly start on reboot as it was trying to resolve my external WG hostname and fail. DNSCrypt-proxy starts AFTER Wireguard tries to initialize, when you reboot.

Any ideas on how I can best configure DNS/WireGuard/DNSCrypt-proxy so that all name resolution goes through DNSCrypt-proxy?
April 13, 2021, 06:29:24 PM #3
I ran Dig from my laptop, which is pointed to OPNSense for DNS. It is querying 10.13.2.1 (where DNSCrypt-proxy is listening), but I still get back real IPs vs. 0.0.0.0 that NextDNS and my RPis correctly return.

Code Select
dig c.bing.com       

; <<>> DiG 9.10.6 <<>> c.bing.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16634
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;c.bing.com. IN A

;; ANSWER SECTION:
c.bing.com. 394 IN CNAME c-bing-com.a-0001.a-msedge.net.
c-bing-com.a-0001.a-msedge.net. 394 IN CNAME dual-a-0001.a-msedge.net.
dual-a-0001.a-msedge.net. 394 IN A 204.79.197.200
dual-a-0001.a-msedge.net. 394 IN A 13.107.21.200

;; Query time: 55 msec
;; SERVER: 10.13.2.1#53(10.13.2.1)
;; WHEN: Tue Apr 13 09:25:57 PDT 2021
;; MSG SIZE  rcvd: 141
April 15, 2021, 05:43:38 AM #4
Any ideas here? I'm kind of at a loss on what's going on with DNScrypt.
April 15, 2021, 06:33:01 AM #5
You need to tell the tool to explicitly ask dnscrypt. Also we need logs :)
April 16, 2021, 11:46:00 PM #6
Since I was using DNSCrypt to forward queries to NextDNS, I fixed this problem via a config change. I directly installed NextDNS CLI on OPNsense and have it listening on port 53. Clients then point to OPNsense for DNS, and all queries are directed to NextDNS, bypassing the need for DNSCrypt.
Print
Go Up Pages1
User actions