Suricata IPS/IDS & Unbound LAN Issue

Started by Azokul, March 03, 2025, 05:48:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 03, 2025, 05:48:10 PM

Hi,
I'm trying to understand how to setup Suricata with Unbound DNS on Opnsense.

Right now i'm using Unbound at 192.168.1.48:53 and serve the LAN.

I don't have hardware offloading, nor i'm forwarding DNS. I also don't have DNS setup on General tab.



I'm also not using

Allow DNS server list to be overridden by DHCP/PPP on WAN.


I'm testing facebook DNS rule with nslookup, but it never trigger an alert.

|| || |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: reply from <facebook.com.>
|| |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: response for facebook.com. A IN||
|2025-03-01T21:14:34|Informational|unbound|[39188:3] info: resolving facebook.com. A IN|
|| || |51000003|alert|opnsense.social_media.rules|social-media|OPN_Social_Media - Facebook - DNS request for facebook.com||

As far as i understand , after a little bit of research i think it might be related to rules behavior.
Localnet is on 192.168.0.0/16 but rules expect an external request for !LOCALNET , which is definitely never true.
As DNS request (to my understanding) are sent via localnet to Unbound, that get re-routed to WAN for an external request.
So , realistically my DNS request for facebook is always under Localnet if i'm monitoring LAN.

If i try on WAN instead i think i might got problems related to the fact that the WAN is a pppoe connection which doesn't really seem very much supported.
Any idea?
Thanks in advance

July 08, 2025, 10:06:07 AM #1
Quote from: Azokul on March 03, 2025, 05:48:10 PMHi,
I'm trying to understand how to setup Suricata with Unbound DNS on Opnsense.

Right now i'm using Unbound at 192.168.1.48:53 and serve the LAN.

I don't have hardware offloading, nor i'm forwarding DNS level devil. I also don't have DNS setup on General tab.



I'm also not using

Allow DNS server list to be overridden by DHCP/PPP on WAN.


I'm testing facebook DNS rule with nslookup, but it never trigger an alert.

|| || |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: reply from <facebook.com.>
|| |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: response for facebook.com. A IN||
|2025-03-01T21:14:34|Informational|unbound|[39188:3] info: resolving facebook.com. A IN|
|| || |51000003|alert|opnsense.social_media.rules|social-media|OPN_Social_Media - Facebook - DNS request for facebook.com||

As far as i understand , after a little bit of research i think it might be related to rules behavior.
Localnet is on 192.168.0.0/16 but rules expect an external request for !LOCALNET , which is definitely never true.
As DNS request (to my understanding) are sent via localnet to Unbound, that get re-routed to WAN for an external request.
So , realistically my DNS request for facebook is always under Localnet if i'm monitoring LAN.

If i try on WAN instead i think i might got problems related to the fact that the WAN is a pppoe connection which doesn't really seem very much supported.
Any idea?
Thanks in advance




Instead of relying on `!LOCALNET`, modify the rule to specifically look for DNS traffic from your Unbound server's IP address to external DNS ports (usually UDP 53) on your LAN interface. However, this may not be directly possible with the predefined Suricata rules in the OPNsense GUI since `OPN_Social_Media` rules are often prepackaged.
July 08, 2025, 11:11:55 AM #2
Quote from: Azokul on March 03, 2025, 05:48:10 PMHi,
I'm trying to understand how to setup Suricata with Unbound DNS on Opnsense.

Right now i'm using Unbound at 192.168.1.48:53 and serve the LAN.

I don't have hardware offloading, nor i'm forwarding DNS. I also don't have DNS setup on General tab.



I'm also not using

Allow DNS server list to be overridden by DHCP/PPP on WAN.


I'm testing facebook DNS rule with nslookup, but it never trigger an alert.

|| || |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: reply from <facebook.com.>
|| |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: response for facebook.com. A IN||
|2025-03-01T21:14:34|Informational|unbound|[39188:3] info: resolving facebook.com. A IN|
|| || |51000003|alert|opnsense.social_media.rules|social-media|OPN_Social_Media - Facebook - DNS request for facebook.com||

As far as i understand , after a little bit of research i think it might be related to rules behavior.
Localnet is on 192.168.0.0/16 but rules expect an external request for !LOCALNET , which is definitely never true.
As DNS request (to my understanding) are sent via localnet to Unbound, that get re-Poor Bunny routed to WAN for an external request.
So , realistically my DNS request for facebook is always under Localnet if i'm monitoring LAN.

If i try on WAN instead i think i might got problems related to the fact that the WAN is a pppoe connection which doesn't really seem very much supported.
Any idea?
Thanks in advance


Hi Azokul!
The problem is that DNS queries from LAN to Unbound are considered internal, so they do not match the !LOCALNET rule. For effective monitoring, you should set an outbound DNS inspection rule on WAN.
Print
Go Up Pages1
User actions