Author Topic: BIND/Unbound/DoT leakage (Read 3191 times)

OPNsense4ever · « **on:** March 08, 2019, 03:02:42 am »

Hello,

I set up Unbound recently to encrypt my DNS requests to 1.1.1.1 and 9.9.9.10. I then setup a NAT rule to push any port 53 request back to localhost for Unbound to grab and encrypt. This works as expected.

The next part is to set the kids' devices to use BIND so that I can use some of the DNSBLs there as well as force safe-search for Google, Bing, etc. I'm doing this with another NAT rule which works great. What I want is for BIND to forward requests to Unbound so that the non-blacklisted requests are encrypted. I guess I don't understand the "DNS Forwarders" field? Right now BIND is just hitting the Internet itself to look these up even though I have 127.0.0.1 in the "DNS Forwarders" field. I see them via tcpdump.

Is there any way to get this done?

Thanks so much!

newsense · « **Reply #1 on:** March 08, 2019, 07:34:04 am »

For protecting and monitoring kids' activities online either pi-hole.net or quidsup.net --NoTrack might be better suited for the task. Youtube is your friend here.

mimugmail · « **Reply #2 on:** March 08, 2019, 09:58:41 am »

With 19.1.3 you can also just use dnscrypt-proxy plugin. It will encrypt DNS and has DNSBL aboard.

chemlud · « **Reply #3 on:** March 08, 2019, 11:23:01 am »

I'm not an expert, but a block rule

Block port 53 any NOT LANaddress

should do the trick and not allow any DNS except via the sense, or?

OPNsense4ever · « **Reply #4 on:** March 09, 2019, 09:57:55 pm »

I'll check out dns-proxy, but I'm not sure that would solve this as I think it might be firewall/NAT issue. My WAN interface rules look like this now:

But I still see DNS requests going out on the WAN interface.

Author Topic: BIND/Unbound/DoT leakage (Read 3191 times)

OPNsense4ever

BIND/Unbound/DoT leakage

newsense

Re: BIND/Unbound/DoT leakage

mimugmail

Re: BIND/Unbound/DoT leakage

chemlud

Re: BIND/Unbound/DoT leakage

OPNsense4ever

Re: BIND/Unbound/DoT leakage