Local DNS resolution & blocking of a domain & pfblockerng

droidus

@SteveITS So in theory, shouldn't this work then?
nslookup ansible.home.lab <pfsense-ip>
Instead, it hangs, then fails.

johnpoz

yes that should work, if you allow access to unbound via firewall rule, its actually running - and you setup the host override in it - have seen users set up the override in dnsmasq (forwarder) when they are using unbound (resolver) or vise versa.

$ nslookup ansible.home.lab 192.168.9.253
Server:  sg4860.local.lan
Address:  192.168.9.253

Name:    ansible.home.lab
Address:  192.168.1.138

What error do you get - something like this?

$ nslookup ansible.home.lab 192.168.9.254                 
DNS request timed out.                                    
    timeout was 2 seconds.                                
Server:  UnKnown                                          
Address:  192.168.9.254                                   
                                                          
DNS request timed out.                                    
    timeout was 2 seconds.                                
DNS request timed out.                                    
    timeout was 2 seconds.                                
DNS request timed out.                                    
    timeout was 2 seconds.                                
DNS request timed out.                                    
    timeout was 2 seconds.                                
*** Request to UnKnown timed-out

droidus

@johnpoz All I get is this:

1.2 is the IP of the pfsense box.
Here's the LAN fw rules I have enabled:

johnpoz

@droidus it never comes back with any sort of error or timeout?

just type nslookup, what does it come back with?

example: here I just type nslookup, then change the server and ask for the host override

$ nslookup
Default Server:  pi.hole
Address:  192.168.3.10

> server 192.168.9.253
Default Server:  sg4860.local.lan
Address:  192.168.9.253

> ansible.home.lab
Server:  sg4860.local.lan
Address:  192.168.9.253

Name:    ansible.home.lab
Address:  192.168.1.138

>

When you change the server to the IP of pfsense, it should come back with pfsense name - if not then that is indication there is something wrong. See how mine comes back with sg4860.local.lan when I change to my pfsense IP.

If unbound doesn't answer, then your client should give a timeout.. If it talked to unbound then you should get some sort of answer, nx, serv fail, something..

For example if I ask for something that just isn't going to resolve..

> lsjfsldf.soldjfsdsldf.com
Server:  sg4860.local.lan
Address:  192.168.9.253

*** sg4860.local.lan can't find lsjfsldf.soldjfsdsldf.com: Non-existent domain

droidus

@johnpoz I'm not sure if this is good practice or not (at least for home use) or even possible, but is it possible to just use "ansible" instead of including the sld&tld? Ie "ansible.home.lab"? For example, I would be able to "ping ansible".

BTW, I got the resolution working now!

johnpoz

@droidus if you want to just type in ansible then you could setup your OS to use a search suffix so it would auto add home.lab, and or other suffixes you would use.

So for example if I just ping ansible notice it doesn't work.

$ ping ansible
Ping request could not find host ansible. Please check the name and try again.

But if I add home.lab to my suffix search.

$ ping ansible

Pinging ansible.home.lab [192.168.1.138] with 32 bytes of data:

What was wrong - what did you change, why wasn't it working before?

droidus

@johnpoz Got it. Was just wondering if there was any way to modify the request so that I don't have to go to every server/machine and do mods like that. Will have to look into how to do that for linux.... I believe it's the resolv.conf file.

johnpoz

@droidus just use fqdn when you looking for something.. Much better than having suffix search, which will quite often add that to every single query be you need them or not..

So for example if you were looking for www.google.com, you end up with an query as well for www.google.com.home.lab

NollipfSense

Op should modify firewall rule to be more specific and exact...source - LAN.net Destination - THIS FIREWALL

Screenshot 2023-06-11 at 1.09.44 PM.png

droidus

@NollipfSense Got it, thank you. I've updated those two rules. Should I apply the same logic to any other rules, such as the ones surrounding them?:

johnpoz

@droidus said in Local DNS resolution & blocking of a domain & pfblockerng:

such as the ones surrounding them?:

You should always be as specific as possible with rules.. This firewall is not specific to be honest. If this is your lan net, that would be the IP it would be talking to for dns, ie lan address. Why would something on your lan be talking to say opt X on pfsense IP for dns? or you wan IP? "This firewall" is an alias that has all the IPs on pfsense.

Do you use this lan net as a transit network? How would something be talking to your lan interface from the lan net coming from any IP other than lan net? There is no reason to have any as the source, unless the interface is a transit network, and even then it should be limited to the IPs as source, why would you not know your downstream networks using this interface as a transit..

Also what client would be using dot? (853) Clients use doh, dot is more for resolvers or forwarders to use.. Also for you to use dot from a client do you have that setup with cert that your clients would trust?

What do you have behind pfsense that is using dot? And for that matter why would you need to encrypt dns queries across your own network?