Unbound DNS Firewall rules needed in 23? (also Understanding DNS hierarchy)

wotcha · February 28, 2023, 05:55:48 AM

If unbound is now the DNS resolver in 23.1, do Firewall rules need to be made, or are they already made by OPnsense by default?

A lot of the guides I am reading adds firewall rules to redirect dns requests to internal DNS (127.0.0.1) but I gather this was before the Unbound was the default resolver?

Also, is this the correct way to think about the DNS processing order/hierarchy in OPNsense?
The most overriding one being on the left hand side.

If not, what changes should be made?

stesoell · February 28, 2023, 10:19:35 AM

Out of the box no additional rules are needed.
The DNS redirect to OPNsense is optional.

BTW: Unbound is the standard resolver since 17.7 :)

wotcha · February 28, 2023, 07:58:34 PM

Quote from: stesoell on February 28, 2023, 10:19:35 AM
The DNS redirect to OPNsense is optional.

Thanks. Why do people put the Firewall rules DNS redirect to OPNsense if it is already handled by OPNsense by default? Sorry a knowledge gap is missing and I have been doing a lot of reading.

Patrick M. Hausen · February 28, 2023, 08:09:11 PM

The DHCP server tells all clients to use the resolver running on OPNsense by default. In case some misconfigured/misbehaving client does not use DHCP or insists on using an external DNS server for some reason, the redirect rule will send these rogue requests to OPNsense instead. So they can be properly put through blocklists, logged, whatever ...

wotcha · March 01, 2023, 04:23:08 AM

Quote from: pmhausen on February 28, 2023, 08:09:11 PM
The DHCP server tells all clients to use the resolver running on OPNsense by default. In case some misconfigured/misbehaving client does not use DHCP or insists on using an external DNS server for some reason, the redirect rule will send these rogue requests to OPNsense instead. So they can be properly put through blocklists, logged, whatever ...

Great got it thanks!!

But if I allow clients to set their own DNS (such as in their device's network settings), or a different DNS set in the interface's DHCP, then I wouldn't want this... to catch & redirect all DNS requests... right..?

(Or perhaps if you do not check "quick" client's own/DHCP DNS settings will still go through first, and the rest will be caught by this?)

gspannu · March 01, 2023, 11:03:42 AM

Quote from: pmhausen on February 28, 2023, 08:09:11 PM
The DHCP server tells all clients to use the resolver running on OPNsense by default. In case some misconfigured/misbehaving client does not use DHCP or insists on using an external DNS server for some reason, the redirect rule will send these rogue requests to OPNsense instead. So they can be properly put through blocklists, logged, whatever ...

Depends what you want...

A) If you want most of your clients to use your router as the DNS provider, then set the firewall rules. This will ensure that clients will always be forced to use OPNsense DNS, even if they have their own DNS servers defined in the client's settings. The main aim of this is to ensure that all your DNS traffic is controlled and managed by OPNsense; and you retain full control while still having some flexibility (See B below)

B) If there are certain client devices that you want to use a different DNS (other than OPNsense), then set this up DNS entries in the DHCP setting on the OPNsense router itself.
Do not make these DNS settings on the client, else it will work as Option A.

Just be aware that these firewall rules only work for clients that use plain DNS 53 queries - this should be practically all clients.

However, some clients (or apps running on mobile devices) that use https or tls/quic for their DNS queries will still be able to bypass OPNsense, as they are sending their DNS queries on Port 443 or 853. These can be blocked too, but is a lot more complicated and I am not sure it is 100% feasible either.

alex303 · March 01, 2023, 08:29:16 PM

Quote from: gspannu on March 01, 2023, 11:03:42 AM
However, some clients (or apps running on mobile devices) that use https or tls/quic for their DNS queries will still be able to bypass OPNsense, as they are sending their DNS queries on Port 443 or 853. These can be blocked too, but is a lot more complicated and I am not sure it is 100% feasible either.

Its actually quite simple to block those. Create alias for ports 853 and 5353. Create a reject rule for UDP protocol and assign your alias to destination port range. Then create another rule right below it that will pass UDP traffic on port 53 and chose "This Firewall" as a destination. See attached picture for details. With these rules in place, all applications that are hardcoded to use DoH and QUIC will fallback on using UDP port 53.

I also want to point out that if you are using OpenVPN as a client, unbound blocklists will not work without firewall rule that redirects UDP traffic on port 53 to "This Firewall".

wotcha · March 02, 2023, 04:13:52 AM

Quote from: alex303 on March 01, 2023, 08:29:16 PM
Quote from: gspannu on March 01, 2023, 11:03:42 AM
However, some clients (or apps running on mobile devices) that use https or tls/quic for their DNS queries will still be able to bypass OPNsense, as they are sending their DNS queries on Port 443 or 853. These can be blocked too, but is a lot more complicated and I am not sure it is 100% feasible either.

Its actually quite simple to block those.

Yeah, I think a lot of guides explain how to block, but I'm not interested in blocking, I want to let those requests through.

I have a reason to set & use the client's own DNS set on the device, for e.g. in the Network settings of the MacBook

Quote from: gspannu on March 01, 2023, 11:03:42 AM
Depends what you want...

B) If there are certain client devices that you want to use a different DNS (other than OPNsense), then set this up DNS entries in the DHCP setting on the OPNsense router itself.
Do not make these DNS settings on the client, else it will work as Option A.

Just be aware that these firewall rules only work for clients that use plain DNS 53 queries - this should be practically all clients.

However, some clients (or apps running on mobile devices) that use https or tls/quic for their DNS queries will still be able to bypass OPNsense, as they are sending their DNS queries on Port 443 or 853. These can be blocked too, but is a lot more complicated and I am not sure it is 100% feasible either.

This! I want this... I will be enabling DNScrypt (DoH) or Unbound DoT at some point, for 2 specific VLANS (77&88(

but at the same time I do want client device that is on 77&88 DNS requests to have precedent for e.g. in the Network settings of the MacBook.

Does anyone have tips on how to do this?

alex303 · March 02, 2023, 03:15:08 PM

You do realize that custom DNS IPs in either DHCP Server or cliient itself will go around unbound ?

Unbound DNS Firewall rules needed in 23? (also Understanding DNS hierarchy)

wotcha

February 28, 2023, 05:55:48 AM Last Edit: February 28, 2023, 09:26:27 AM by wotcha

stesoell

February 28, 2023, 10:19:35 AM #1

wotcha

February 28, 2023, 07:58:34 PM #2

Patrick M. Hausen

February 28, 2023, 08:09:11 PM #3

wotcha

March 01, 2023, 04:23:08 AM #4 Last Edit: March 01, 2023, 04:26:47 AM by wotcha

gspannu

March 01, 2023, 11:03:42 AM #5

alex303

March 01, 2023, 08:29:16 PM #6 Last Edit: March 01, 2023, 08:31:38 PM by alex303

wotcha

March 02, 2023, 04:13:52 AM #7 Last Edit: March 02, 2023, 09:26:50 AM by wotcha

alex303

March 02, 2023, 03:15:08 PM #8 Last Edit: March 02, 2023, 03:30:46 PM by alex303