Archive > 21.7 Legacy Series
DNS leaks, even after DNS catch-all port forward
jclendineng:
Old post but if ram is an issue, ditch suricata. Almost 0 use cases for home usage. Well, Ill say it is 0. Its fun to learn and manage and all that but know that its useless for most people. You aren't being exploited, you have a firewall that's default blocking incoming connections, if you are concerned, geoblock from aliases, and use firehol blocklists to deny certain ip ranges only if you run a website or something. if you don't, you have no benefits from any of that. On a 620 you have a pretty weak CPU as well so I would definitely stay away from suricata. Just my 2c :)
koushun:
jclendineng
But, if you have services facing the public? Then would it not be beneficial to also use Suricata / IDS?
I have a lot of these coming on my public facing ports these days, which I think Suricata handles pretty well :)
--- Code: ---2034647 blocked xxx.xxx.xxx.xxx 54658 yyy.yyy.yyy.yyy 80 ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)
--- End code ---
jclendineng:
--- Quote from: koushun on December 30, 2021, 09:46:26 pm ---jclendineng
But, if you have services facing the public? Then would it not be beneficial to also use Suricata / IDS?
I have a lot of these coming on my public facing ports these days, which I think Suricata handles pretty well :)
--- Code: ---2034647 blocked xxx.xxx.xxx.xxx 54658 yyy.yyy.yyy.yyy 80 ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)
--- End code ---
--- End quote ---
Yes :) that's why I said unless you run a website or something. I do run many public services as well as semi-public for mostly myself, so I do use suricata. My point was more that if he is a *typical* home user and running on that old old hardware, suricata may not be the best option as it will eat resources that could be used for other things. I have 2 of those t620's laying around and most modern SBC's can outperform these days, its super old. I agree, if you run services externally, definitely use a SIEM or whatnot. I would play the devils advocate though, for personal services, a properly configured firewall and services behind it will be plenty secure without suricata if OP decides not to use it. Updated dependencies and properly secured services will be great, but conversely, if you only run suricata thinking its enough, without worrying about the exposed services etc, that's not really secure. Suricata (snort as well for that matter, any IPS/IDS) requires tweaking and an understanding that if you don't you will have a ton of false positives. You have to babysit the ruleset, and understand why you need it and what its doing and not doing. If someone were to just turn it on WAN and not do that, it probably won't do to much good. Suricata isn't this magical security suite, its a glorified signature based scanner.
ChrisChros:
I think another way to force all DNS traffic over dedicated servers is to combine the already mentioned NAT portforward rule with a NAT outbound rule.
This is also described in this thread: https://forum.opnsense.org/index.php?topic=15472.msg71345#msg71345
With this setup, I think, Suricata is not necessary to block all DNS traffic via DoT, DoH. This should save a little bit of performance, especially on older hardware.
This combination I run on my system and it looks like its working. Also when I run the DNS leak test, only my classified DNS servers are listed.
Navigation
[0] Message Index
[*] Previous page
Go to full version