this post was submitted on 14 Jan 2024
6 points (100.0% liked)

OPNsense

485 readers
1 users here now

All discussions about the open source, FreeBSD-based firewall called OPNsense.

founded 1 year ago
MODERATORS
[email protected]
6
Ensure only defined DNS servers are used? (programming.dev)
submitted 7 months ago by [email protected] to c/[email protected]
4 comments fedilink hide all child comments
 

Hey all, recent convert from pfSense. I'm trying to make sure only the DNS servers I've defined are being used for lookups? I'm using Unbound and noticing a lot of traffic on port 53 to destinations other than the ones I've put in.

top 4 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 7 months ago (1 children)

I do a dns redirect that redirects external 53 requests to an internal server.

Should be called a NAT redirect or firewall

[–] [email protected] 1 points 7 months ago

Thanks, I might give that a go

[–] [email protected] 3 points 7 months ago

Each network is different. I did this for my network which has multiple subnets and internal DNS servers sitting on the "server" subnet. The "server" subnet is excluded, since devices in there are more tightly controlled (and it would create a routing loop).

Granted, it may not be the best way, but here is how I did it:

  • Create Firewall Alias group (type: hosts) with IP addresses of internal DNS servers (PiHoles, in my case).
  • Create Firewall Alis group (type: URL Table IPs) for external DNS over HTTPs servers (content: https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt)
  • Create NAT Port Forward to route all traffic on port 53 to the alias (TCP/UDP, source: network, destination: !network on port 53, redirect target: DNS alias, redirect port: 53) for each network
  • Each network (except the "server" network) has the below rule set (order is important)
    • Allow TCP/UDP 53 to DNS alias
    • Drop all TCP/UDP 53
    • Drop all TCP/UDP 853
    • Drop all TCP/UDP 443 traffic to external DNS over HTTPs alias group

Since NAT port forward rules are processed before interface/network rules, any device using port 53 for DNS (regardless of the IP address they have set) will automatically (and transparently) get redirected to my PiHole servers. The drops are in place so devices that try to use other common DNS methods are blocked. Generally, those devices will then default to the DHCP DNS servers.

I have been running this config for a few years and have found a few downsides:

  • You can't visit websites that have the same addresses as their DNS hosts, ie: https://1.1.1.1
  • Although https://github.com/jpgpi250/piholemanual is updated regularly, it has contained the odd false-positive (GitHub pages had a weird overlap at one point) breaking legitimate HTTPS traffic
  • My PiHole servers are configured to allow queries from all origins (theoretical security risk)

Hope this helps! And remember to be careful when messing with DNS and clear those caches when testing.

[–] MartianSands 1 points 7 months ago

Some devices or software will ignore what the os or network are telling them and use their own DNS servers, mainly to bypass filtering. If that's what's happening then you're mostly out of luck. The best you could do is set up firewall rules to block those other servers, assuming they all even use port 53, but that would probably just prevent those devices from working at all.

It's not completely out of the question that you could intercept and redirect those requests, if they're not encrypted