Possible malware infection on opnsense router.

[Siarap]

My maltrail detected mass connection to malware related domains in about 3 minutes (many different domains). This gonnections was made over port 53 even when i have set dns over tls. This connecions was made from WAN ip adress not from lan. Is it possible that my opnsense instance is infected?

EDIT: Currently partially solved by blocking outgoing traffic from WAN with port 53 destination. But i am network newbie i dont know its enough.

[Patrick M. Hausen]

Everything is possible - analyse the traffic with a packet trace, then try to find the source process with sockstat and friends ... do a packet trace on LAN, too, just in case ... etc.

[Siarap]

I dont know do i can handle it alone. Im just user looser and newbie.

[meyergru]

This connecions was made from WAN ip adress not from lan.

Are you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...

[Siarap]

This connecions was made from WAN ip adress not from lan.

Are you sure about that? When your internal clients use DNS via port 53 to a specific DNS server, then obviously those requests go via the WAN IP via NAT. It seems ~10x more likely that some client has been infected than OpnSense...

I got blocked traffic over port 53 to the internet from lan and port forward to redirect all dns trafic generated in lan to 127.0.0.1 (unbound). Then unbound with blocklists then traffic goes to the quad9 dns also with own blocklists. Please READ CAREFULLY what i wrote. When i say from WAN i mean from WAN not lan. Maltrail also says clearly what interface generate traffic. AND my dns connection goes trough TLS. Thats why i dont understand why port 53 connections from WAN.

[Patrick M. Hausen]

IMHO this is not diagnosable via a forum. You need to find some one knowledgable and give them hands on access to your machine. It's not rocket science but it needs familiarity with common Unix network and diagnostic tools.

[Siarap]

I dont know such person. I try fight this threat on my own. Partially solved by blocking outgoing trafic to port 53 from WAN. But what if malware use dns over https instead raw dns on port 53?

[Patrick M. Hausen]

Save your config, reinstall OPNsense wiping everything, restore your config, upgrade to latest version. Watch what happens.

Disconnect everything from your LAN, leave your OPNsense running. Connect a known good PC directly to the LAN port. Watch if the problem persist. If it doesn't it's not your OPNsense. Reconnect your switch if present. Power on one device at a time, each time observe what happens. So you can identify the device that causes the suspicious traffic.

[Siarap]

Maltrail plugin already identified device. SOURCE is WAN ip address not lan ip address. I got another traffic from lan addresses. Im runing maltrail on any WAN/LAN/VLAN interface because i got them all. Previously suricata detected MANY exploits going on WAN address But this attacks stopped (they were blocked by et telemetry ruleset). Any of my devices in VLAN is separated by VLAN. Few days ago i have MASS port scan from multiple domains/ip ranges which was detected and blocked by crowdsec. I dont know what they looking because i have literally NOTHING here . Im just gamer who like privacy and security. They will be upset when they break in hahaha.

[Patrick M. Hausen]

Do you have any inbound open ports on WAN? For any services that run directly on your OPNsense?

[Siarap]

ALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.

[meyergru]

Even if the requests themselves are done from OpnSense itself, it might still be a proxy thing for your LAN. You did not say anything about the DNS setup on your site up to your answer, so this was speculation. If you are so sure that OpnSense itself is infected, then fine, do as Patrick says.

I still say that an infection on one of your clients is 10 times more likely than one on OpnSense, but YMMV. Good luck.

[Patrick M. Hausen]

ALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.

Then nobody can possibly have infected your OPNsense directly from outside. From inside via a previously infected client - yes. But as @meyergru wrote: highly unlikely.

Turn on the query log for whatever you use as a recursive server on your OPNsense, watch them, try to find the source of the queries step by step. Only method. No silver bullet.

If you want more help let's start with you describing your DNS setup in detail. Which servers - Unbound, DNSmasq, Adguard Home ... to which ports are they bound ... how did you configure DoT ... how exactly (show the firewall rules!) did you make sure clients cannot go directly to the Internet ...

The problem is - you probably think there's something obvious that experienced people like @meyergru and me know. Fact is, there is nothing obvious. It's all 100% particular to your specific configuration. When trying to help we build a mental image of your network (lacking real access). For that to be successful we need all relevant information.

[Siarap]

ALL ports closed. Im just gamer no need to open ANY ports. Im not hosting games.

Then nobody can possibly have infected your OPNsense directly from outside. From inside via a previously infected client - yes. But as @meyergru wrote: highly unlikely.

Turn on the query log for whatever you use as a recursive server on your OPNsense, watch them, try to find the source of the queries step by step. Only method. No silver bullet.

If you want more help let's start with you describing your DNS setup in detail. Which servers - Unbound, DNSmasq, Adguard Home ... to which ports are they bound ... how did you configure DoT ... how exactly (show the firewall rules!) did you make sure clients cannot go directly to the Internet ...

The problem is - you probably think there's something obvious that experienced people like @meyergru and me know. Fact is, there is nothing obvious. It's all 100% particular to your specific configuration. When trying to help we build a mental image of your network (lacking real access). For that to be successful we need all relevant information.

default dhcp with dnsmasq>> unbound with blocklists >> dns over tls to quad9 with blocklists. From lan side is blockrule to block all outgoing traffic to any destination with port destination 53 + port forward at lan/vlan side to redirect all unencrypted dns traffic to unbound. Also blocked outgoing tls dns from lan. And still get dns traffic from wan not lan which points to malware related domains. Even with infected client on lan side how it is still possible over port 53 unencrypted dns when i set dns over tls? Im doing something wrong? My dns still leaking? And this malware traffic is directed to random dns ervers different than quad 9. Tried dnsleaktest site and there is no leak detected.

[Patrick M. Hausen]

My first step would be: what queries exactly? Maybe the domains asked for already show a pattern ...