firewall allowing WAN to connect to Google DNS servers

[Inxsible]

I have set up my firewall to use Unbound resolver and i don't forward DNS to any other server. I have NOT setup any DNS servers in System --> Settings -->General.


However I still see in the firewall logs the WAN IP connecting to 8.8.8.8 and port 53 for DNS. Where would this DNS server (8.8.8.8 ) be setup so that I can force everything to go through Unbound resolver?

[marjohn56]

Got any Android devices?


https://www.androidpolice.com/2020/03/26/make-android-use-dns-server-choice/

[Inxsible]

Got any Android devices?


https://www.androidpolice.com/2020/03/26/make-android-use-dns-server-choice/

Yes, but they all go out via my VPN client gateway -- not via my ISP WAN (at least when they are on my wifi) I do have a Roku which goes out via ISP (because Netflix/Amazon Prime doesn't like VPN exit nodes)

Would there be a way to quickly find out which client(on the LAN) is actually making that request to 8.8.8.8 DNS server

[marjohn56]

Only by IP address/Mac

[Inxsible]

Turns out that it is the automatically generated Floating rules that is allowing that traffic. pfSense didn't have any floating rules by default.

how would I disable these Floating rules? I don't see the option to disable or delete next to the auto-generated rules, like we have on the manually created rules.

[Inxsible]

Tried Disable force gateway under Firewal-->Settings-->Advanced which removed 3 of the 17 auto-generated floating rules (WAN DHCP6, WAN DHCP and VPN DHCP) gateway rules but it still didn't remove the rule with the description "let out anything from the firewall host itself"

However that just killed DNS completely for me. I couldn't even visit google.com. Had to un-check the Disable force gateway in order to be visit any website.

Questions:

• Why does Opnsense create these auto-generated floating firewall rules which allow all traffic to pass?
• Is there no way to disable them without losing connectivity?
• Since these floating rules exist, the devices on my network are able to connect to multiple DNS servers - i saw Google DNS, Cloudflare DNS and others being connected to. How would I force all devices to only use the Unbound resolver?
  

[chemlud]

I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...

[tiermutter]

How would I force all devices to only use the Unbound resolver?

Just redirect DNS requests not going to your sense:
https://forum.opnsense.org/index.php?topic=9245.0

Remember this will only work for normal DNS requests, but not for DoT or DoH!

[Greelan]

This does have the sense of an X-Y problem. The focus should be on getting your LAN firewall rules right. Remember by default all traffic is blocked on the internal interfaces unless explicit rules are included to allow it. So regulate the traffic as you want it on the LAN interface - this is also the most efficient way of dropping traffic. The floating rule then falls out of the picture.

[hushcoden]

I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...

I have a similar issue and looking at the log, I can see the source address is the WAN IP, I don't see how to identify the IP address of the client...  ???

[marjohn56]

Try putting this in your custom options for unbound, think that's all I did, see very few google addresses in my logs.

ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6


You should only see WoodyNet, Cloudflare and your own IP then in a DNS leak test. Of course, if you want total privacy, use a VPN. Of course this will not stop pesky devices like Chromecast from using 8.8.8.8, but it's on my IOT VLAN anyway, so who cares.

[chemlud]

I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...

I have a similar issue and looking at the log, I can see the source address is the WAN IP, I don't see how to identify the IP address of the client...  ???

Package capture on LAN interface(s). Find out who is contacting 8.8.8.8. But if you block all traffic with target port 53 (except to LAN address of the OPNsense) and use Unbound properly configured you should not see see anything leaving WAN to target port 53.

[Inxsible]

I think you are fighting the wrong war. Find the client(s) initiating the traffic and fix your DNS leak first...

Not sure if I have a DNS leak --- yet.

dnsleaktest extended test results show me only 1 DNS server -- which is the same IP as my VPN exit point -- on Chromium

dnsleaktest extended test results show me only 1 DNS server -- which is an IP of Cloudflare  -- on Firefox.

Not sure why I get different results in different browsers. The above was also happening in my pfSense install. It may be because I do have a Cloudflare DNS account that I use for DNS challenge for Caddy2 reverse proxy which maintains all my Let's encrypt certs for the various services on my network (nextcloud, bitwarden, guacamole etc...)

But why does Chromium show me the VPN address whereas Firefox shows me the Cloudflare IP, I have no idea !!

[Inxsible]

How would I force all devices to only use the Unbound resolver?

Just redirect DNS requests not going to your sense:
https://forum.opnsense.org/index.php?topic=9245.0

Remember this will only work for normal DNS requests, but not for DoT or DoH!

I don't use the Port forward method for restricting DNS, but here the layout I have
LAN + 4 VLANs (WORK, IOT, GUEST, CCTV)

• LAN & GUEST networks exit via the VPN gateway
• WORK and IOT networks exit via the ISP gateway (due to Netflix and Prime having issues when exiting via VPN)
• CCTV has no access to the internet. It can only access my NVR IP on the LAN

Here are the rules that I have set up for individual networks/VLANs:

I have similar rules set up for all other networks. I am only allowing the DNS to the opnsense server. So why is the 8.8.8.8 being contacted in addition to so many other DNS servers?

Here's the firewall log. The label clearly indicates the rule that is allowing that traffic:


One thing that I don't understand is that the 10.8.0.11 is my VPN IP, not my actual WAN/ISP IP. so why is the interface listed as WAN?

I found that rule was the auto-generated rule set up under the Floating Rules


So obviously it's allowing that DNS server to be contacted. Which brings me back to the question, why can't I disable/delete the auto-generated rules?

[chemlud]

OMG...