Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
BIND/Unbound/DoT leakage
« previous
next »
Print
Pages: [
1
]
Author
Topic: BIND/Unbound/DoT leakage (Read 3180 times)
OPNsense4ever
Newbie
Posts: 24
Karma: 2
BIND/Unbound/DoT leakage
«
on:
March 08, 2019, 03:02:42 am »
Hello,
I set up Unbound recently to encrypt my DNS requests to 1.1.1.1 and 9.9.9.10. I then setup a NAT rule to push any port 53 request back to localhost for Unbound to grab and encrypt. This works as expected.
The next part is to set the kids' devices to use BIND so that I can use some of the DNSBLs there as well as force safe-search for Google, Bing, etc. I'm doing this with another NAT rule which works great. What I want is for BIND to forward requests to Unbound so that the non-blacklisted requests are encrypted. I guess I don't understand the "DNS Forwarders" field? Right now BIND is just hitting the Internet itself to look these up even though I have 127.0.0.1 in the "DNS Forwarders" field. I see them via tcpdump.
Is there any way to get this done?
Thanks so much!
«
Last Edit: March 08, 2019, 03:05:26 am by OPNsense4ever
»
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: BIND/Unbound/DoT leakage
«
Reply #1 on:
March 08, 2019, 07:34:04 am »
For protecting and monitoring kids' activities online either pi-hole.net or quidsup.net --NoTrack might be better suited for the task. Youtube is your friend here.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: BIND/Unbound/DoT leakage
«
Reply #2 on:
March 08, 2019, 09:58:41 am »
With 19.1.3 you can also just use dnscrypt-proxy plugin. It will encrypt DNS and has DNSBL aboard.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
chemlud
Hero Member
Posts: 2483
Karma: 112
Re: BIND/Unbound/DoT leakage
«
Reply #3 on:
March 08, 2019, 11:23:01 am »
I'm not an expert, but a block rule
Block port 53 any NOT LANaddress
should do the trick and not allow any DNS except via the sense, or?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
OPNsense4ever
Newbie
Posts: 24
Karma: 2
Re: BIND/Unbound/DoT leakage
«
Reply #4 on:
March 09, 2019, 09:57:55 pm »
I'll check out dns-proxy, but I'm not sure that would solve this as I think it might be firewall/NAT issue. My WAN interface rules look like this now:
But I still see DNS requests going out on the WAN interface.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
BIND/Unbound/DoT leakage