Suricata IPS/IDS & Unbound LAN Issue

Started by Azokul, March 03, 2025, 05:48:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 03, 2025, 05:48:10 PM

Hi,
I'm trying to understand how to setup Suricata with Unbound DNS on Opnsense.

Right now i'm using Unbound at 192.168.1.48:53 and serve the LAN.

I don't have hardware offloading, nor i'm forwarding DNS. I also don't have DNS setup on General tab.



I'm also not using

Allow DNS server list to be overridden by DHCP/PPP on WAN.


I'm testing facebook DNS rule with nslookup, but it never trigger an alert.

|| || |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: reply from <facebook.com.>
|| |2025-03-01T21:14:34|Informational|unbound|[39188:3] info: response for facebook.com. A IN||
|2025-03-01T21:14:34|Informational|unbound|[39188:3] info: resolving facebook.com. A IN|
|| || |51000003|alert|opnsense.social_media.rules|social-media|OPN_Social_Media - Facebook - DNS request for facebook.com||

As far as i understand , after a little bit of research i think it might be related to rules behavior.
Localnet is on 192.168.0.0/16 but rules expect an external request for !LOCALNET , which is definitely never true.
As DNS request (to my understanding) are sent via localnet to Unbound, that get re-routed to WAN for an external request.
So , realistically my DNS request for facebook is always under Localnet if i'm monitoring LAN.

If i try on WAN instead i think i might got problems related to the fact that the WAN is a pppoe connection which doesn't really seem very much supported.
Any idea?
Thanks in advance

Print
Go Up Pages1
User actions