Is there an official or recommended way to forward all ipv6 DNS requests?

Started by Ground_0, December 03, 2023, 01:54:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 03, 2023, 01:54:43 PM
I am sure many of us have found this excellent tutorial: https://forum.opnsense.org/index.php?topic=9245.0
which I am using, and it works great for ipv4.
Further down in the thread some people have inquired as to an equivalent method for ipv6, without any real consensus.
Of course, there are a few more threads around the web asking similar questions, but none seem to have any real traction.
I am currently using DNS over TLS. My ISP is dual-stack ipv4/6 and I am utilizing ipv6 (LAN tracking WAN)
Unfortunately, I can't really find any official documentation addressing this scenario. The official unbound docs state:
QuoteShould clients query other nameservers directly themselves, a NAT redirect rule to 127.0.0.1:53 (the local Unbound service) can be used to force these requests over TLS.
(from https://docs.opnsense.org/manual/unbound.html)
So, with this in mind, as well as the fact that, I believe, ipv6 ignores NAT, I am compelled to ask the community for an official or correct, or at least, clean and recommended method to forward ipv6 DNS requests (for an Opnsense beginner).
Thank you!
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
December 03, 2023, 01:59:26 PM #1
I use this method
https://quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls


link doesn't work to great. click setup guide > open source routers > opnsense encrypted
December 03, 2023, 02:08:12 PM #2 Last Edit: July 04, 2024, 10:55:42 PM by Ground_0
Yes, that is the exact method I am using and thank you for your time.
However, my question is bit more specific; I am wondering how to forward ALL DNS (port 53) ipv6 requests on the lan and force them to use unbound DoT port 853.
(For instance, some clients may 'go rogue' and try to use 2606:4700:4700::1111 when I want them to use 2001:4860:4860::8888)
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
August 24, 2024, 10:59:31 PM #3 Last Edit: August 24, 2024, 11:04:18 PM by Ground_0
Here are my Firewall LAN rules.
Is this an effective strategy for IPV6?

Edit: No image hosting allowed?
Interface:LAN
TCP/IP ver:IPV6
Protocol: TCP/UDP
Destination Invert: checked
Destination: LAN address
Destination Port Range: DNS, DNS
Redirect Target IP: Single Host or Network: ::1
Redirect Target Port: DNS
NAT Reflection: Default

The IPV6 rule is nearly identical to the ipv4 rule, but is using ::1 instead of 127.0.0.1
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
August 25, 2024, 12:22:40 PM #4 Last Edit: August 25, 2024, 12:33:14 PM by almodovaris
Disabling clients from using their own DoT, DoH, or DoQ is a complicated matter. Against DoT you have Zenarmor. Against DoQ you can block QUIC in Zenarmor. But DoH blocking is a lot more complicated, unless you have an exhaustive list of all DoH servers. The problem is that anyone may start a DoH server, so such list is never foolproof.

Correction: Zenarmor blocks DoH, not DoT. But the problem that anyone may create their own DoH server persists. DoH is indistinguishable from regular HTTPS traffic. Technically, Zenarmor can inspect HTTPS connections, but that breaks much of the internet and smartphone apps.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
August 25, 2024, 02:54:28 PM #5
Quote from: almodovaris on August 25, 2024, 12:22:40 PM
Disabling clients from using their own DoT, DoH, or DoQ is a complicated matter. Against DoT you have Zenarmor. Against DoQ you can block QUIC in Zenarmor. But DoH blocking is a lot more complicated, unless you have an exhaustive list of all DoH servers. The problem is that anyone may start a DoH server, so such list is never foolproof.

Correction: Zenarmor blocks DoH, not DoT. But the problem that anyone may create their own DoH server persists. DoH is indistinguishable from regular HTTPS traffic. Technically, Zenarmor can inspect HTTPS connections, but that breaks much of the internet and smartphone apps.
Thank you for the insight.
I guess my follow up question would be, is there a way to forward ipv6 DNS requests akin to the ipv4 tutorial at https://forum.opnsense.org/index.php?topic=9245.0 ?
There seems to be no guides or consensus on a workable solution that I can find.
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
August 25, 2024, 03:18:03 PM #6
Out of curiosity I tried your setup:

Source: *
Destination: !LAN address
Destination port: 53
Protocol: IPv6, TCP/UDP
Redirect: ::1
Rule association: pass

The redirection seems to work just fine:
Code Select
root@opnsense:~ # tcpdump -i lo0 -n port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo0, link-type NULL (BSD loopback), snapshot length 262144 bytes
15:03:35.584046 IP6 2003:a:d59:******.18249 > ::1.53: 63442+ [1au] A? www.heise.de. (53)
15:03:40.585240 IP6 2003:a:d59:******.48087 > ::1.53: 63442+ [1au] A? www.heise.de. (53)


But Unbound seems unwilling to answer on that socket:
Code Select
2024-08-25T15:03:45 Notice unbound [55765:0] notice: sendmsg failed: Invalid argument

So I tried AdGuard Home instead - same result.

Maybe in IPv6 ::1 as a source address is not possible? In the IPv4 setup 127.0.0.1 is necessary so NAT works in both directions via the state tracking without an explicit rule on the internal interface.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 25, 2024, 03:44:01 PM #7
Thank you as well, Patrick.
I'll keep searching.
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
Print
Go Up Pages1
User actions