DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th July 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 47
Default DNSCRYPT-Proxy causes slowdown on one service only

Testing my new firewall running pf on OpenBSD I have noticed something quite odd.

All of my machines get a constant 60Mbps downstream. Except for he xbox. I had originally thought hat maybe one of my pf rules was causing the issue.

I have since narrowed it down to the dnxcrypt proxy.

If I keep this rule in place:
Code:
### Block Rogue DNS requests from LAN clients on port 53 then log and Redirect to use DNSCrypt and Unbound
block return out quick log on egress proto { tcp udp } from any to any port 53
pass in on em1 inet proto { tcp udp } from any to ! 192.168.10.1 port 53 rdr-to 192.168.10.1
My down speed goes from 66Mbps to ~9Mbps. If I comment out the first rule (block) above and then allow the xbox to use the old ns1.pbi.net dns, it gets it's speed back. Re-Enable the block rule and it slows to a crawl.

I have looked everywhere on google trying to see if I can find a reference to this and no go. i have tried specifying multiple dnscrypt servers on the list, turning dnssec off and no change.

How would one go about resolving this as it seems to be the dnscrypt that is causing the issues.

Could I just change the rules as follows (change in bold):
Code:
### Block Rogue DNS requests from LAN clients on port 53 then log and Redirect to use DNSCrypt and Unbound
block return out quick log on egress proto { tcp udp } from ! $xbox to any port 53
pass in on em1 inet proto { tcp udp } from any to ! 192.168.10.1 port 53 rdr-to 192.168.10.1
And if I were to do that change, would all other devices on the network still follow the original rool since I changed it from any to any TO ! $xbox to any

Open to any ideas to fix the speed issue with dnscrypt.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 21st July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,561
Default

I'm going to take a very wild guess that the problem has two factors: 1) how you are managing Domain resolution on the xbox, and 2) your PF rules. It's a very wild guess, because we only have a fragment of your PF ruleset and know nothing about your xbox network configuration. And I know nothing about xboxes at all.

Assumption 1: the xbox is assigned an upstream nameserver via DHCP that you do not want it to use, hence your two PF rules.

Assumption 2: the xbox slows down when it receives an ICMP UNREACHABLE packet in response to a blocked UDP Domain resolution requestion.

Based on those two assumptions, I do not understand the purpose of the block rule. This is because the the pass redirects all Domain requests to your resolver of choice, so the block only delays the client (xbox, in this case) as it determines what to do when it learns its primary nameserver is UNREACHABLE.

The best fix, I think, would be to remove the external, unwanted nameserver from the xbox configuration. But I know nothing about xboxen, so that may not be possible.

On my networks, I don't have rules like these. I use my own DHCP servers and configure only my local nameservers in dhcpd.conf(5). Only the nameservers can forward resolution requests to the Internet, other devices on the network cannot. (This has the side benefit of blocking communication through-the-firewall via port 53 by a compromised workstation or mobile device, in the event that occurs.)

Last edited by jggimi; 21st July 2015 at 01:12 AM. Reason: clarification of forwarding requests to authoritative nameservers
Reply With Quote
  #3   (View Single Post)  
Old 21st July 2015
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,257
Default

I'm moving this thread back to the OpenBSD subforum.

While PF is available on both FreeBSD & NetBSD, the versions are not the same meaning that the feature sets aren't the same either.
Reply With Quote
  #4   (View Single Post)  
Old 21st July 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 47
Default

Quote:
Originally Posted by jggimi View Post
On my networks, I don't have rules like these. I use my own DHCP servers and configure only my local nameservers in dhcpd.conf(5). Only the nameservers can forward resolution requests to the Internet, other devices on the network cannot. (This has the side benefit of blocking communication through-the-firewall via port 53 by a compromised workstation or mobile device, in the event that occurs.)
That is what i was going for. All other devices seem to have no issue getting the advertised speed of the provider EXCEPT the xbox. the only reason i included that snippet was those were the only rules that were having an effect on the speed. if i comment out the block rule, everything works fine for the xbox. that is how I narowed it down to dnscrypt/unbound being the culprit.

I am also running a dhcp server on the firewall. I am trying to accomplish what you mention in the quote snippet I included above.

Could you show me your snippet and how you accomplished this? I was thinking that by applying the block rule to every device ! $xbox would work around the problem.
Reply With Quote
  #5   (View Single Post)  
Old 21st July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,561
Default

My dhcpd(8) servers informs clients which nameservers to use:
Code:
option   domain-name-servers 10.0.1.1, 10.0.4.1;
As discussed recently in one of bceverly's threads, all known devices are assigned reserved IP addresses in dhcpd.conf. Here's an example of a laptop, it's MAC address has been redacted because I'm not copying-pasting at the moment, just typing from memory:
Code:
        host laptop {
                hardware ethernet xx:xx:xx:xx:xx:xx;
                fixed-address 10.0.1.133;
}
This device is in the local-zone in unbound.conf, so it will be resolved locally:
Code:
local-data: "laptop.jggimi.homeip.net. IN A 10.0.1.133"
.
.
.
local-data-ptr: "10.0.1.133 laptop.jggimi.homeip.net"
Lastly, the forward-zone refers to Google's public DNS which resolves all authoritative (internet-facing) IP addresses.
Code:
forward-zone:
        name "."
        forward-addr: 8.8.8.8
        forward-addr: 8.8.4.4

Last edited by jggimi; 21st July 2015 at 04:09 PM. Reason: several corrections in the hours since this was posted. Latest correction: bceverly's thread, with link
Reply With Quote
  #6   (View Single Post)  
Old 23rd July 2015
TronDD TronDD is offline
Shell Scout
 
Join Date: Sep 2014
Posts: 121
Default

Also not knowing how an xbox is configured for a network, my thought is that since the rule is a 'block quick' the xbox will never hit the redirect rule. So you're hitting DNS timeouts. I'm guessing the PCs are correctly configured to use 192.168.10.1 for DNS and never hit these rules.

Configure the xbox to use the correct DNS server, remove the quick keyword, or shuffle the order of your rules.

Tim.

Edit: Also no idea why DNS would impact sustained speeds... what is the xbox doing on port 53?

Last edited by TronDD; 23rd July 2015 at 07:16 PM.
Reply With Quote
  #7   (View Single Post)  
Old 23rd July 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 47
Default

I had set the xbox to use the ip that unbound is listening on so it wouldn't be going outside that range. But somehow the DNS is the culprit.

Is there a way to strace or tcpdump to see what dns server it is trying to contact? My logs while dumping arent showing me anything useful
Reply With Quote
  #8   (View Single Post)  
Old 23rd July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,561
Default

Assumptions:
  • You are monitoring from the gateway router, so the traffic can be seen.
  • Your xbox device's IP address is a.b.c.d.
  • Your NIC you wish to monitor is em1.
Perhaps something as simple as:
# tcpdump -ni em1 host a.b.c.d and port 53

--- in addition ---

Add the log option to the rules you wish to monitor, and you can use tcpdump(8) with the pflog(4) device to monitor PF rules being applied. Here are three examples, one for monitoring rules that log blocks, another to monitor rules that log passes, and the last to monitor both pass and block rules as they are applied to rules that log.

# tcpdump -ni pflog0 action block
# tcpdump -ni pflog0 action pass
# tcpdump -ni pflog0

Last edited by jggimi; 23rd July 2015 at 11:37 PM. Reason: clarity, typo in the first tcpdump(8) filter. :)
Reply With Quote
  #9   (View Single Post)  
Old 27th July 2015
daemonbak daemonbak is offline
Fdisk Soldier
 
Join Date: Feb 2015
Posts: 47
Default

I was running tcpdump -n -e -ttt -i pflog0

let me try it with your string and see what I can find.

Thanks
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DNSCrypt and local Unbound resolver Oko OpenBSD Security 1 28th December 2014 12:54 AM
dnscrypt-proxy build errors? gkbsd OpenBSD Packages and Ports 7 3rd May 2014 01:12 PM
Security DNSCrypt: a tool to encrypt all DNS traffic J65nko News 0 8th December 2011 08:13 PM
Good VPN service? guitarscn Off-Topic 2 15th December 2009 08:55 AM
service prioritization badguy OpenBSD General 1 29th July 2009 05:36 PM


All times are GMT. The time now is 04:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick