Author Topic: I tried to block all but approved DNS servers. It didn't do anything. (Read 2658 times)

hilfubsi · « **on:** November 13, 2020, 11:17:52 am »

I'm trying to block all DNS queries, and only allow queries to the opnsense firewall's DNS or nextdns.io's DNS.

Attached is my config.

I try to enable or disable logging for these two rules and run `dig @1.1.1.1 example.com` but it never ever shows anything in the log (either in the web UI, or using option 10 on the serial/ssh console to opnsense) and it gets a response for any domain name I try. I would expect dig to timeout instead, and the firewall logs to show the packets were caught by the rule.

What's going on? How do I block ALL DNS queries and only allow devices inside my network to query OPNsense's internal DNS or nextdns'?

Gauss23 · « **Reply #1 on:** November 13, 2020, 11:22:11 am »

In the first line you have a "any/any" rule that allows just everything. Your other rules are not inspected at all.

hilfubsi · « **Reply #2 on:** November 13, 2020, 11:27:01 am »

Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?

hilfubsi · « **Reply #3 on:** November 13, 2020, 11:30:37 am »

And also, what do I need to add so that devices with a hardcoded DNS that isn't one of the allowed ones get forwarded to the firewall instead?

Gauss23 · « **Reply #4 on:** November 13, 2020, 11:31:18 am »

Quote from: hilfubsi on November 13, 2020, 11:27:01 am

Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?

This rule is enabled by default. It should be removed and you should create your own ruleset. When you remove it, you'll still be able to access the GUI but your internet access will be blocked. So you should add the most important rules (destination ports 80 and 443 for example).

And you don't need any block rules (apart from some scenarios). If traffic is not allowed it will be blocked automatically.

Gauss23 · « **Reply #5 on:** November 13, 2020, 11:32:32 am »

Quote from: hilfubsi on November 13, 2020, 11:30:37 am

And also, what do I need to add so that devices with a hardcoded DNS that isn't one of the allowed ones get forwarded to the firewall instead?

https://forum.opnsense.org/index.php?topic=9245.0

hilfubsi · « **Reply #6 on:** November 13, 2020, 11:33:58 am »

Quote from: Gauss23 on November 13, 2020, 11:31:18 am

Quote from: hilfubsi on November 13, 2020, 11:27:01 am
Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?

This rule is enabled by default. It should be removed and you should create your own ruleset. When you remove it, you'll still be able to access the GUI but your internet access will be blocked. So you should add the most important rules (destination ports 80 and 443 for example).

And you don't need any block rules (apart from some scenarios). If traffic is not allowed it will be blocked automatically.

I'm worried this would break a lot of things on my network, like consoles and other things that need uPnP to work.

Author Topic: I tried to block all but approved DNS servers. It didn't do anything. (Read 2658 times)

hilfubsi

I tried to block all but approved DNS servers. It didn't do anything.

Gauss23

Re: I tried to block all but approved DNS servers. It didn't do anything.

hilfubsi

Re: I tried to block all but approved DNS servers. It didn't do anything.

hilfubsi

Re: I tried to block all but approved DNS servers. It didn't do anything.

Gauss23

Re: I tried to block all but approved DNS servers. It didn't do anything.

Gauss23

Re: I tried to block all but approved DNS servers. It didn't do anything.

hilfubsi

Re: I tried to block all but approved DNS servers. It didn't do anything.