DNS - Best Pracices

Started by Giz, October 13, 2025, 05:52:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 13, 2025, 05:52:47 PM
Noob here! (formerly a sonicwall guy)

Okay I have a couple opns (25.7.5) running now but am a little unsure of best practices with opnsense regarding nat'ed services
I currently have dns (bind9) running internally and nat'ed ns1 and it appears to be functioning. But ns1 is config'd to use google's ns servers.
I am looking for the best way (suggestive) to config opn and secure ns1 so it's dns is protected properly.

TIA
Giz..
October 13, 2025, 09:01:54 PM #1
Use malware protecting fwd'ers, like 9.9.9.11, or the like.
Use DNSSEC.
Config your fw rule to allow only your bind IP to goto your selected fwd'er.

From there it should be pretty good.
Mini-pc N150 i226v x520, FREEDOM
October 13, 2025, 09:42:21 PM #2
Quote from: BrandyWine on October 13, 2025, 09:01:54 PMUse malware protecting fwd'ers, like 9.9.9.11, or the like.
Use DNSSEC.
Config your fw rule to allow only your bind IP to goto your selected fwd'er.

From there it should be pretty good.


1) Okay so quad9 gives me: 9.9.9.9, 149.112.112.112  can I set that somewhere in opnsense and then configure my ns server to fwd to lan side of opnsense?
2) For this particular domain I have dnssec turned on at godaddy

Tks for the starting places to read up on.
Giz..
Today at 01:37:40 AM #3
Use the malware blocking set:
Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled
IPv4
9.9.9.11
149.112.112.11
(https://quad9.net/service/service-addresses-and-features/)

OPNsense has the "unbound" dns service you can setup, and you can fwd to it. But why, just allow your bind to do what it needs to do.
Just make your bind DNS the primary DNS for everything. bind will be way more robust when it comes to features.

Mini-pc N150 i226v x520, FREEDOM
Today at 11:11:03 AM #4
Quote from: BrandyWine on October 13, 2025, 09:01:54 PMUse malware protecting fwd'ers, like 9.9.9.11, or the like.
Use DNSSEC.
Config your fw rule to allow only your bind IP to goto your selected fwd'er.

From there it should be pretty good.


if using dns servers that use dnssec.   i typically leave enable dnssec turned off within opnsense
quad9
nextdns
and controld for my usage
Today at 03:39:17 PM #5
Quote from: DEC670airp414user on Today at 11:11:03 AMif using dns servers that use dnssec.   i typically leave enable dnssec turned off within opnsense
quad9
nextdns
and controld for my usage

Tks for the replies (Dec & Brandy)

Yeah, am thinking to leave opn alone and just use the fwd'rs at ns level
Giz..
Print
Go Up Pages1
User actions