[Solved] Untraceable dns requests

Started by FredFresh, December 27, 2024, 04:54:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 27, 2024, 04:54:13 PM Last Edit: December 29, 2024, 11:06:50 AM by FredFresh
Since a couple of days I see the following behaviour:

- on external DNS server (i.e cloudflare, nextdns,...) there are multiple requests pointing to other DNS servers all around the world;
- the ID source of these call is the Unbound server within the OPNSENSE;
- looking to reporting/unbound dns/details there is no record of any of such calls;
- looking to services/undound dns/ log file there are records of such calls but I can't identify the source yet
- trying to get the IP behind such dns servers and check the firewall log, still gives no answer.

Some of the addresses are: dns4me.net, dns.0x55.net, dns.0ooo.icu, dns-gcp.aaflalo.me, dns.688447.xyz ...

Strange thing is that I blocked bing.com in the blacklist of Unbound DNS, but I still see requests on the external DNS server.

Any hint about how to proceed? Thank you
December 28, 2024, 08:42:24 PM #1
You need both control and enforcement.

Control - use a single DNS authority in your environment. AdguardHome is a good option, pi-hole a distant second one which I don't recommend.

Enforcement - You can either block all outbound DNS requests from every machine on the FW - but this option leaves you rather blind in terms of who's trying to go where based on DNS requests - or use a port forward to transparenly redirect all udp/tcp53 queries to AdguardHome.

Last but not least, don't forget browsers/phones/tablets will try to force their own DNS settings which may be encrypted - you'll want to make sure only your chosen DNS server answers and nothing else is allowed to escape.
December 28, 2024, 10:36:29 PM #2 Last Edit: December 28, 2024, 11:25:29 PM by FredFresh
Hi newsense, thankd for the reply. I agree with you in general terms, but my main problem here is that I can't understand the originator of these dns calls.

I found also that perfoming a ping from opnsense, is not reported inse the livenlog of the firewall...I am missing something? I expected to see any connection inside the live log and see every dns request inside the unbound report page.

I believe that these call are done by the firewall itself (maybe are the repositories of filtering lists), but i cannot see these requests (and investigate) nor in the unbound reporting, nor in the firewall log. I can instead find them inside the sevices/unbound dns/log file.

I remember that before the Logs collected also the caonnection intiated by the firewall itself (maybe I am wrong).

Many thanks.
December 29, 2024, 11:11:19 AM #3
The problem identified was the change in the format of blocking lists I use with Unbound dns, I tried to switch from the usual "asterisc wildcard" to the RTP format.

The second is not compatible and as a result, the firewall started to randomly call the addresses reported inside (one of the lists is referred to DNS services).

I restored the old format, and (for now) everything seems to be back to normal.
Thanks
Print
Go Up Pages1
User actions