Constant DNS queries for opnsense.emergingthreats.net

Started by nikon112, January 30, 2023, 08:38:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2023, 08:38:49 PM
After enabling Unbound DNS reporting I am seeing over 40,000 DNS queries for opnsense.emergingthreats.net over the course of six hours.

I am using Unbound (no blocklist) on opnsense with DoT to nextdns.
The queries all Pass and come back NOERROR with the vast majority being answered from Cache.
Since the queries are mostly being answered from cache they don't show up on nextdns, which is why I had not noticed before.
To be clear the queries are also not being blocked by nextdns.

Is anyone else seeing this issue, or know how to fix it?

Thanks.
January 31, 2023, 01:04:58 PM #1
using os-etpro-telemetry ids rules plugin?
"When you allow your OPNsense system to share anonymized information about detected threats - the alerts -
you are able to use the ETPro ruleset free of charge."
November 11, 2024, 11:21:18 PM #2
Getting the same, only the number of queries is much larger for me. Anyone got any idea how to mitigate against this?
November 13, 2024, 06:00:39 AM #3 Last Edit: November 13, 2024, 09:46:34 AM by OpalALeslie
Quote from: nikon112 on January 30, 2023, 08:38:49 PM
After enabling Unbound DNS reporting I am seeing over 40,000 DNS queries for opnsense.emergingthreats.net over the course of six hours.


I am using Unbound (no blocklist) on opnsense with DoT to nextdns.
The queries all Pass and come back NOERROR with the vast majority being answered from Cache.
Since the queries are mostly being answered from cache they don't show up on nextdns, which is why I had not noticed before.
To be clear the queries are also not being blocked by nextdns.

Is anyone else seeing this issue, or know how to fix it?

Thanks.
Excessive DNS query issue for opnsense.emergingthreats.net within six hours when using Unbound DNS on OPNsense, while users search for solutions to minimize the continuously generated traffic.

poppy playtime chapter 3
November 13, 2024, 09:11:35 AM #4
Don't use Suricata?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 21, 2024, 12:17:29 AM #5 Last Edit: November 21, 2024, 01:13:10 AM by someone
Original question sounds like DNS or a misbehaving schedule possibly
Is your DNS sticking to its set IP
DNS settings in unbound
set your servers in system general
have the correct settings in unbound
November 21, 2024, 12:56:46 AM #6 Last Edit: November 21, 2024, 01:17:16 AM by someone
Are you behind a IPS router
Did you reset it before you went online
When you load opnsense, download your rules and apply them, and make your changes
I would create a snapshot and click it to be active, so thats what will be booted on the next powerup
After changes I would make another snapshot
Are you capturing packets or looking at them or the traffic
Once you set your DNS servers and reboot, look for your DNS server IP
Does your IPS let you select your own DNS or have to use theirs
Make sure let ISP over ride your settings is unchecked
Are you using firefox
In the settings under privacy and security
At the bottom check use your own DNS servers
Do you have a ET schedule activated
I am not getting that traffic
But I was getting DNS bombs, not any more
January 04, 2025, 07:35:41 AM #7
check the box flush cache on reboot, then reboot, check logs
Print
Go Up Pages1
User actions