Strange DNS lookups from firewall

[nylund]

Hi,

I recently created a NAT rule redirecting all DNS lookups from clients on my network(s) to the opnsense box (unbound).
Seems to work fine. If I try to do a DNS lookup from one of my clients to a non existing DNS server I still get an answer (from unbound)

However, in the log, I still see unknown DNS lookups to servers I have not set in System: Settings: General:

WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:29809   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:27319   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:38033   64.4.48.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:5254   64.4.48.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:34242   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:33800   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:35915   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:59161   13.107.24.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:36519   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:54124   40.90.4.201:53   udp   let out anything from firewall host itself (force gw)   
WAN      Feb 12 10:48:27   xxx.xxx.xxx.xxx:38769   13.107.160.201:53   udp   let out anything from firewall host itself (force gw)

I also see them when doing a packet capture on the WAN interface.

Anyone know why the firewall use DNS servers not specified by me?

BR/Nylund

[chemlud]

Hi!

I looked up 2 of the these IP, apparently Microsoft trash. Do you have any Win10 on your network?

[nylund]

Yes, appears to be azure-dns lookups.
I have a win2016 server.

But any dns lookup from my clients should be redirected by the NAT rule.

[ArminF]

Maybe check if your DNS Unbound is listening on the WAN interface as well.
Default is ALL interfaces
Reduce it to LAN

[nylund]

Thanks, yes it was set to all. I have changed that now but it still does a lot of ns lookups to different nameservers.
64.4.48.201:53
216.239.38.10:53
205.251.198.210:53
170.33.24.73:53
13.107.160.201:53
And so on... :(

[chemlud]

Did you pcap the interface with the MS Win server to see if the requests come from this machine?

[Maurice]

By default, unbound works as a recursive resolver. It will only use the DNS servers from System / Settings / General if you enable forwarding mode.

Cheers

Maurice

[nylund]

By default, unbound works as a recursive resolver. It will only use the DNS servers from System / Settings / General if you enable forwarding mode.

Cheers

Maurice

Ahhh thanks! :)
Found the setting to change to forwarding mode. Now it only resolve using my specified forwarders.

[ArminF]

Nylund,

you made me curious und i did exactly the same as you now with the forwarders.
Had to google it what DNS the FW does contact.

But for now i went with 8.8.8.8 and 8,8.4.4. Which is fine.

btw: maybe take a look on DNSBL via unbound.
install the package via console "pkg install os-unbound-plus-devel "

then select the blocklists you want.
cheers A

[miroco]

If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

[ArminF]

If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

Hello Miroco,
thanks for the article. I did install the package for Unbound as i do not use DNSCrypt yet.
But will for sure take a look on the documentation you posted!

thank you!
armin

[cguilford]

Sweet thanks for this @miroco I just set mine up similar to this as well and makes me much happier to see the encryption in progress.

If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

[ArminF]

If I didn't misunderstand you, DNSBL is already part of the plugin os-dnscrypt-proxy.

https://homenetworkguy.com/how-to/configure-dns-over-https-dnscrypt-proxy-opnsense/

miroco

Dear Miroco
i am struggeling with the config. Yes it is well explained i guess i have a misconfig on my system with unbound.

Used a port forward to route internal DNS traffic to 127.0.0.1 and set up the LAN FW rule to allow it.
Unbound i configured to use system tab forwarders (system - settings - general -> dns server pointing to WAN GW.

I removed them, disabled Unbound and activated dnscrypt.
Left the servers on the last position on default and did not specify any in server tab.
Also used the option Allow Privileged Ports and changed listener to 127.0.0.1.

BUT.. do not get any names resolved so far.
What did i miss?

Thank you very much.
armin

PDF attached shows the config page. And YES i had to disable it again.

[cguilford]

ArminF did you tick the box that says Enable DNSCYRPT-Proxy at the very top?

[cguilford]

ArminF did you tick the box that says Enable DNSCYRPT-Proxy at the very top?

Also did you fill out the Server list section at the bottom... IE I have Cloudflare and quad9-doh-ip4-filter-pri