I am having trouble with my DNS and NTP settings getting bypassed

Started by someone, October 09, 2024, 04:12:18 AM

Previous topic - Next topic
Anyone know a way to hold your preferences in opnsense
Probably the way I have something set
Using unbound I entered google as DNS, it works a couple times then gets over ridden
Same with the NTP servers would not stay on opnsense servers
Any way to beef up the security of those, thanks

I appreciate not everyone's first language is English but your posts are hard to understand. Please see if you can observe the rules of grammar.
Now then for your questions.
> Anyone know a way to hold your preferences in opnsense
If you are not running on a live usb session i.e. OPN is actually installed, all changed via the UI persist reboots.

> Using unbound I entered google as DNS, it works a couple times then gets over ridden
where is entered?
where does it get overridden ?

> Any way to beef up the security of those, thanks
what makes you think these settings are insecure ?

My DNS is constantly Hijacked
I have tried many settings in both opnsense and browser
Firefox browser also tries to control DNS
I have tried turning those off
I so far know of know way to set DNS settings and have them applied on a consistent basis
Hijacking and zone transfers, I cannot set a DNS server no matter what I enter so far
I monitor packets and IPs
Yes the NTP is getting overidden by the OS NTP servers
And then those also get hijacked due to the DNS getting hijacked
Depending on the day I am attacked every 5 to 15 seconds
Just wondering if anyone knew how to control your DNS and get it to keep what you set
This is an area I havnt had much success with yet
My ISP router was destroyed due to the hijacking MITM

What exactly do you mean by "DNS getting hijacked"? I have no problem even remotely connected to that term.

I block port 53 and 853 outbound. I give all client systems the local OPNsense as their DNS server via DHCP. I also use a DoH blocklist in Adguard Home.

Case closed. There is no way a system in my network uses any DNS server but my local OPNsense.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

I also do not get what you're talking about.

For DNS on the OPNsense: System - Settings - General:  Allow DNS server list to be overridden by DHCP/PPP on WAN  (UNCHECK)

For NTP and DNS on other interfaces: Allow DNS & NTP to the Interface which belongs to the Subnet and block everything else.

"My ISP router was destroyed due to the hijacking MITM"
Wondering how a ISP router should be destroyed though. Either way its compromised or not. But destroyed?

If you dont know how an ISP router gets destroyed or Hijacked there are plenty of security sites to help
Maybe you didnt see the latest on social media about thousands of home routers attacikng cloudflare
because their firmware was rewritten, you can watch Utube videos on how to get into home routers
They changed the cert in mine once, it now sits on a desk because its firmware was rewritten permanently,
wants to go to TLD DNS, well known in the security world as a bad guy, couple of suricata rules
on that but at the time my rules were not working
NTP I can shut off so I dont get a jacked server site, that could be due to hijacked DNS first
I also have attacks on NTP itself trying to get a connection trying to mimic a NTP server
Then about DNS, this is what I am saying
I havnt found any way, and I have tried and researched, to stop opnsense from getting hijacked
The browser has no problem hijacking opnsense, To use firefox DNS, I have learned to turn it off
Then the OS has no problem asking for its own DNS
Just wondering if anyone else with ongoing attacks have found a method to secure DNS
I am attacked every 5 seconds, I am on fiber maybe thats why they target us,
Bot nets mostly, the global security community knows all about them, two in the US
Thats why you have bot net block lists in your suricata rulesets
Thanks everyone

And yes I know there is nothing we have that is secure, I would just like to control it
a little better than they do

One other thing is  ... Do not attack these bot IPs
Yes they could be a bot server or
They could be a router on a grandmothers desk that has been compromised
Do not cause Grandma any suffering, please

And thanks everyone, all suggestions are welcome, may be something I havnt tried yet
I will keep working on it, have to
Its the only way I can get on the internet
First 6 months of this year I couldnt get on the net more than 15 seconds without getting shutdown or a virus, really
Till opnsense helped me, a regular home router doesnt stand a chance here

Thank you Mr Hausen
I will try closing 53 outbound but I only have 443 and 53 open on the wan
Sounds like good security
the client gets DNS from opnsense, but its opnsense that gets hijacked
Its opnsense that sends a DNS lookup
By hijacked I can see the IPs of the request and replies
And it changes from what my settings are, or what I put in conf file
then it will change again and again, like something shadow.com
or TLD.com(bad guy)
I do not have overide DNS checked
I try to set to, and it worked for maybe 15 minutes
maybe I changed settings to fast, maybe I need to reboot more
thanks again

Thank you fast boot
Its DNS on the wan
I will check to see if there is a way to tighten security on DNS

Thanks cookiemonster
I have opnsense on hard drive, but it doesnt pay attention to the DNS settings
Could be compromised, worked for a short while
I watch the IPs and read the packets, my DNS setting is no where to be found
I found one culprit was firefox overiding opnsense,turned off  its DNS and opnsense worked for a little while
Its doing it again, I will have to research who the DNS server is because inarpa has nothing on it
I will see if its on the same one(sticks to one server) or random again
dig command just gives me a list of the root servers, it rarely ever uses one

Discovered I am getting a DNS attack, called DNS something .. forgot
Its on utube
But a single request results in a hundred DNS servers queried
which I saw after my last post and I started monitoring packets

Changing DNS settings and trying quad9
Using DNS over TLS
I set up the IPs and hostname dns.quad9.net and port 853
will test this and see if it gets better
thanks everyone

DNS (as well as NTP) is blocked by default on WAN. Show your WAN rules, please.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Disregard, I discovered my opnsense router and OS were compromised,
took two days to remove the viruses, UDs, and malware
I reload my OS daily
I ran opnsense without reloading for about 60 days before it was obviously destroyed
Thats a huge milestone in my environment
Some day I hope I can learn enough security to get that far again and still keep running
I will go back to reloading opnsense every two weeks, have to
DNS is working and so is NTP
I dont know how to deploy quad9 yet
I have,, in the system DNS settings
I deployed the DNS over TLS and query forwarding for quad9 on port 853
It uses the system DNS servers on port 53 instead of quad9
I will try taking the system DNS servers out and look again
Thanks everyone
I ignored some signs system was compromised, wont do that again

A current default installation of OPNsense cannot be compromised from outside.

All of your posts are no facts and lots of speculation. My firewalls run for years with regular updates but without fresh installation every couple of weeks. Reinstalling everything regularly is cargo cult.

Unless you come up with some facts - firewall rules, packet traces, configuration details, ... I'm out of this conversation.

You must be trolling.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

We like opnsense, opnsense works, its good, really good
We work to make it better and keep up with the security world
Thanks contributers, testers, newbies and problem solvers
Couple things
Nothing new concrete to implement yet
Next I ask questions about what I see
The community gives me answers or suggestions
Sometimes right sometimes wrong, Wrong is also ok
Sometimes it gives me ideas and problems are worked out with persistence
Sometimes right, dont always have to be right, help is appreciated
I post what I see so if anyone else comes across it
hopefully there is an answer after some time and follow the post
I will post my corrections or fixes or causes of problems
All questions are welcome, yes I am wrong sometimes
Hopefully posts will point in the right direction or give ideas
Just like I follow others posts about similar problems I have

I have pcaps, what would anyone want to see
yes they are https and encrypted bodies but can see the headers
If anyone wants to see what a bot looks like
or just plain hacking, let me know
Can talk about attacks in the IPS section of forum
100's of thousands of them
Ive learned a lot in the last week
pesently running firewall with only 443 and 53 open, besides defaults
thanks quad9 is doing ok on 53 so far
will try to go to port 853 later
thanks everyone