@haberdabers said in Unbound wont resolve domains using localhost:

Amazed someone had registered it.

Your fault.
You mentioned it, they bought it quickly so you have to negotiate now ;)

Unless it's confirmed by NLnet labs/the Unbound project it's probably not actually a vulnerability.

I don't see any recent CVEs from them on their releases, last one was with 1.10.1
which is the version that is in pfSense 2.4.5-p1

From the sound of what is being described there, however, it's not an unbound issue at all but something in the opnsense GUI that is not being validated. Even that claim seems dubious though (about it resetting to factory defaults).

When using ESX and CARP, the underlying vswitches and port groups must be set to:
Promiscuous Mode: Accept
MAC Address Changes: Accept
Forged Transmits: Accept

Sorry realized I could post a client config

#client config persist-tun persist-key ncp-disable cipher AES-256-CBC auth SHA512 tls-client client remote blahblah.com 443 tcp4 verify-x509-name "blahblah.com" name auth-user-pass remote-cert-tls server <ca> -----BEGIN CERTIFICATE----- snip -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- snip -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- snip -----END OpenVPN Static key V1----- </tls-auth> #server config dev ovpns3 dev-type tun dev-node /dev/tun3 writepid /var/run/openvpn_server3.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA512 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown client-connect /usr/local/sbin/openvpn.attributes.sh client-disconnect /usr/local/sbin/openvpn.attributes.sh learn-address "/usr/local/sbin/openvpn.learn-address.sh blahblah.com" local 46.60.70.50 tls-server server 10.10.15.60 255.255.255.0 client-config-dir /var/etc/openvpn-csc/server3 username-as-common-name plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user tommy= fa lse server3 443 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'server.blahblah.com' 1" lport 443 management /var/etc/openvpn/server3.sock unix max-clients 3 push "dhcp-option DOMAIN blahblah.com" push "dhcp-option DNS 10.44.34.54" push "dhcp-option NTP 10.44.34.54" push "redirect-gateway def1" client-to-client ca /var/etc/openvpn/server3.ca cert /var/etc/openvpn/server3.cert

##DNS Resolver##

Network Interfaces: ALL
Outgoing Network Interfaces: ExpressVPN
*(Enable DNSSEC Support
*Register DHCP leases in the DNS Resolver
*Register DHCP static mappings in the DNS Resolver
*Register connected OpenVPN clients in the DNS Resolver

you can create a file such as "/root/blockset.conf"

containing something line:

address=/discord.com/discord.gg/127.0.0.1 address=/roblox.com/rbxcdn.com/127.0.0.1

then in the Custom options area for dnsmasq gui

conf-file=/usr/local/etc/dnsmasq.conf conf-file=/root/blockset.conf

If you want them to change on a schedule create a cron script to update or replace the file and reload the service

see topic cli commands to start and stop services for instructions on how to properly do this...

Hmm, this sounds interesting. So I could do all the DHCP stuff from another machine and let pfsense handle the rest.

I guess I could even copy the current DHCP config from pfsense since I think it runs ISC-DHCP as well.

Not sure what functionality I will lose like that but I guess I could give it a try.

Thanks!

@mcury said in Unbound service dns resolver can't start:

@killpilot You are welcome.
There is already a solution, update to 3.0.1 and it will work.

In case the packet download fails, use the command found in the link provided, then update

ok, the dev team of both party are very reactive, crongrats !!!!!

thank for your help, i update the package successfully, every think work fine for the moment :-D

Got it. Just unchecked "Enable DNSSEC support" and all is well.

Thank you :)

@dhjdhj said in Curious about ordering when using DHCP with pools:

if you want to deploy 500 IP Phones, for example. You'd like to just deliver them to offices, plug them in and be done.

And in such a setup you would put those 500 phones on the phone vlan.. So the dhcp pool would be for all the phones..

There is no need to discuss with pfsense developers... Its a non issue. If you think its not done correctly - then submit code to do it how you feel its should be done.

The default for allow is any mac that asks for an IP... If you start putting in specific allows, and not deny on the other pool.. Then how do you differentiate between pools that do not have any allows set and when not to assign IPs from that pool... So now you have code that has to look and see oh that mac aa:bb:cc is allowed on pool A, but pool A is full. But pool B has address and no macs called out for allow or deny on it - so anyone should be able to get an IP from this pool. But its mac aa:bb:cc so shouldn't?

So now what users have to list all mac that should be allowed from whatever pools, etc.

It gets way more complicated than your simple scenario with 2 pools, and you want phones to pool from this but not that pool... But not reading the docs where it clearly calls out you need to put in deny in pools you don't want to pull from when you put in allow on specific pools.. Means the code is bad???

You could also just deny the mac that you don't want to pull from pool X, etc. when the only other pool is Y.. What about the scenario where you have multiple pools not because you want some devices to pull from X or Y, but because you don't want IP address Z in the middle of the range to be used.. So you create 2 pools leaving out that IP, etc.

But then you might have devices that are not phones in the phone pool.. which why when you want to differentiate on which pools devices can pool from you need to do both an allow and deny, etc.

What are you wanting to do exactly?

If you setup a forwarder in unbound, and you point your clients to unbound - they will resolve any local records via what unbound has for them.. So if you create a host override host.domain.tld that is what will be returned. Anything else would be forwarded to who you have setup for forwarding too.

If you have a local dns, that you would want unbound to resolve domain.tld records from that would be a domain override.

Anything that is not local, a host override or domain override would be either just be resolved or forwarded.. This is really how it works out of the box - so not exactly sure what your question is?

Code in Resolver Custom options:-

define-tag: "NAS-IOT" access-control-view: 172.16.4.0/24 NAS-IOT access-control-view: XXXX:YYYY:ZZZZ:4::/64 NAS-IOT view: name: "NAS-IOT" local-zone: "xyz.net" inform local-data: "nas.xyz.net A 172.16.4.10" local-data: "nas.xyz.net AAAA XXXX:YYYY:ZZZZ:4::a" view-first: yes

From 172.16.2.0/24 & XXXX:YYYY:ZZZZ:2::/64:-

andyk@mac-pro ~ % host nas nas.xyz.net has address 172.16.2.10 nas.xyz.net has IPv6 address XXXX:YYYY:ZZZZ:2::a andyk@mac-pro ~ % host loghost loghost.xyz.net has address 172.16.2.10 loghost.xyz.net has IPv6 address XXXX:YYYY:ZZZZ:2::a andyk@mac-pro ~ %

From 172.16.4.0/24 & XXXX:YYYY:ZZZZ:4::/64:-

pi@homebridge:~ $ host nas nas.xyz.net has address 172.16.4.10 nas.xyz.net has IPv6 address XXXX:YYYY:ZZZZ:4::a pi@homebridge:~ $ host loghost loghost.xyz.net has address 172.16.2.10 loghost.xyz.net has IPv6 address XXXX:YYYY:ZZZZ:2::a pi@homebridge:~ $

@jsbsmd said in SAD DNS and unbound question:

they will have access to multiple blocking lists that "I hope" staff will be monitoring them.

Quad9 is a non-profit project funded by donations, so we don't have a lot of staff, but there's a field and button on the front page of the web site for checking whether we're blocking a domain in the malware-blocking version of the service, and if so, which feed reported it, and any reasons they may have stated. There's also a button for people to report something as a false positive, and we do investigate anything that's reported as a false positive, though that's kind of time-consuming, because the badguys of course report all their stuff as false positives too... And we keep stats on how many times each blocking rule gets exercised without a false-positive report, and reputation-score each of the threat intel feeds. And we keep a list of things that should never be blocked even if they come up in a threat intel feed, so when a threat intel feed includes something on that list, that also contributes (negatively) to their reputational score. Since there are, at any time, millions of things being blocked, and the level of churn is very high (as domains stop being used by badguys and leave the list), there's no way for our small group of staff and volunteers to proactively research each case before it goes into the blocklist, but also the vast majority (more than 99.99%) of blocked domains are never reported as false-positives, either while they're blocked, or after the fact.

Will connecting to 9.9.9.9 using udp 53 protect a user or is it a must to use ssl/tls 853? Just thinking about man in the middle attacks.

"Defense in depth" means a series of layers and complimentary security measures which all contribute to a more safe posture. So, there are several answers to that question, all valid and cumulative:

Using 9.9.9.9 gives you access to an aggregate set of threat intel which is not available in any other way (since it includes internal (not-available-as-a-product) threat data from several large security teams in companies which compete with each other). That's one benefit, and is available regardless of the transport protocol between the user and our recursive resolver.

Using 9.9.9.9 also gives you an external DNSSEC validator. It's better to not have to rely upon someone else for that, but relying on someone else is better than not doing it at all. And for most people, most of the time, there's no mechanism by which they could do it themselves, since it's unfortunately not supported in any significant number of endpoints, and most people don't run their own forwarding/validating or recursive/validating resolver. To be clear, the correct place to do DNSSEC validation is in the endpoint, but there's almost no support for that by vendors, and it's not something that can be easily added in to many platforms by a third party. So we all have to keep pushing for that over time.

Using 9.9.9.9 protects you from the recursive resolver recording your DNS resolution history, and protects you from parties upstream from the recursive resolver seeing your query or associating it with you, but if you use a UDP/53 transport rather than one of the encryption methods (DoT, DoH, or DNScrypt), any party between you and the recursive resolver can record your query and associate it with (at best) the public-facing IP address used to transmit it, or (at worst) a unique "cache busting" key tied to your identity.

In addition, using UDP/53 also leaves you open to man-in-the-middle attacks in which the recursive resolver is impersonated by another entity, usually the access-providing ISP, who may have contracted with a third party to capture and monetize queries.

So, we strongly recommend encrypting the connection between you and your recursive resolver, both for your privacy, and also as a step toward authenticating the recursive resolver. While that authentication currently depends on CA certs, which don't actually provide any security, as that process gets upgraded to DANE certs, that will become real strong authentication that you could rely upon.

No joy. I already had a rule allowing DNS outbound for those addresses as well, and though my redirect floating rule was enabled, disabling it had no effect. If I comment out the fw-address lines it works fine, but then my other queries aren’t all being sent to NextDNS as intended. Right now it is an either/or, and I’m trying to figure out a way to explicitly exclude, or to be able to remove those specific custom options and still have the other use NextDNS.

kiokoman
kiokoman LAYER 8 about 8 hours ago

yup firewall rules,

source ip-pihole permit 53 *2) source any destination ! ip-pihole block 53 ( ! = reverse)

or you can do a nat port forward with

*2) interface LAN source ! ip-pihole destination ! ip-pihole port 53 NAT ip-pihole 53

take in mind that order of rules are important

ah nice, i was still writing when you answered

Yes :) Thx for Thy help anyways Sir!