Weird DNS behavior.

Started by Siarap, April 16, 2025, 05:41:21 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 16, 2025, 05:41:21 AM Last Edit: April 16, 2025, 06:33:53 AM by Siarap
My maltrail instance on 25.4 detects malicious dns queries from my wan address on port 53. Decided to block outbound connections from wan with destination port 53. I have enabled dns over tls(quad9). When i block port 53 im loosing dns resolving. No domains are resolved. So all the time i had no dns encryption? What servers opnsense is using then? Why tls port 853 is not used?

EDIT: This dns servers was used to resolve malicious domains ips: 162.159.38.3, 172.64.35.93, 192.33.14.30 . I never set anywhere this ip addreses. I got enabled unbound as resolver + dns over tls.

This domains was resolved: cdn.prod.website-files.com, prod.website-files.com, .website-files.com
Maybe its just false positive in mailtrail?
April 16, 2025, 05:38:17 PM #1
Quote from: Siarap on April 16, 2025, 05:41:21 AMWhen i block port 53 im loosing dns resolving.

That is super shocking... 😜
April 16, 2025, 06:16:40 PM #2

That is super shocking... 😜
[/quote]

Exactly because ive set 853 tls for dns, and blocking outgoing port 53 connections from wan.
April 28, 2025, 04:21:25 PM #3
Quote from: Siarap on April 16, 2025, 06:16:40 PMExactly because ive set 853 tls for dns, and blocking outgoing port 53 connections from wan.

Outgoing firewall rules are almost never what you want.  You'd have to explain your setup and rules more for us to know what you're running into.

In the meantime, I wrote about this some time ago so you may find the posts helpful.

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-1/

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-2/
April 28, 2025, 09:41:01 PM #4
Sharing screenshots of your DNS setup on OPN would help.
Print
Go Up Pages1
User actions