|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
DNSCRYPT-Proxy causes slowdown on one service only
Testing my new firewall running pf on OpenBSD I have noticed something quite odd.
All of my machines get a constant 60Mbps downstream. Except for he xbox. I had originally thought hat maybe one of my pf rules was causing the issue. I have since narrowed it down to the dnxcrypt proxy. If I keep this rule in place: Code:
### Block Rogue DNS requests from LAN clients on port 53 then log and Redirect to use DNSCrypt and Unbound block return out quick log on egress proto { tcp udp } from any to any port 53 pass in on em1 inet proto { tcp udp } from any to ! 192.168.10.1 port 53 rdr-to 192.168.10.1 I have looked everywhere on google trying to see if I can find a reference to this and no go. i have tried specifying multiple dnscrypt servers on the list, turning dnssec off and no change. How would one go about resolving this as it seems to be the dnscrypt that is causing the issues. Could I just change the rules as follows (change in bold): Code:
### Block Rogue DNS requests from LAN clients on port 53 then log and Redirect to use DNSCrypt and Unbound block return out quick log on egress proto { tcp udp } from ! $xbox to any port 53 pass in on em1 inet proto { tcp udp } from any to ! 192.168.10.1 port 53 rdr-to 192.168.10.1 Open to any ideas to fix the speed issue with dnscrypt. Thanks |
|
|||
I'm moving this thread back to the OpenBSD subforum.
While PF is available on both FreeBSD & NetBSD, the versions are not the same meaning that the feature sets aren't the same either. |
|
|||
Quote:
I am also running a dhcp server on the firewall. I am trying to accomplish what you mention in the quote snippet I included above. Could you show me your snippet and how you accomplished this? I was thinking that by applying the block rule to every device ! $xbox would work around the problem. |
|
||||
My dhcpd(8) servers informs clients which nameservers to use:
Code:
option domain-name-servers 10.0.1.1, 10.0.4.1; Code:
host laptop { hardware ethernet xx:xx:xx:xx:xx:xx; fixed-address 10.0.1.133; } Code:
local-data: "laptop.jggimi.homeip.net. IN A 10.0.1.133" . . . local-data-ptr: "10.0.1.133 laptop.jggimi.homeip.net" Code:
forward-zone: name "." forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 Last edited by jggimi; 21st July 2015 at 04:09 PM. Reason: several corrections in the hours since this was posted. Latest correction: bceverly's thread, with link |
|
|||
Also not knowing how an xbox is configured for a network, my thought is that since the rule is a 'block quick' the xbox will never hit the redirect rule. So you're hitting DNS timeouts. I'm guessing the PCs are correctly configured to use 192.168.10.1 for DNS and never hit these rules.
Configure the xbox to use the correct DNS server, remove the quick keyword, or shuffle the order of your rules. Tim. Edit: Also no idea why DNS would impact sustained speeds... what is the xbox doing on port 53? Last edited by TronDD; 23rd July 2015 at 07:16 PM. |
|
|||
I had set the xbox to use the ip that unbound is listening on so it wouldn't be going outside that range. But somehow the DNS is the culprit.
Is there a way to strace or tcpdump to see what dns server it is trying to contact? My logs while dumping arent showing me anything useful |
|
||||
Assumptions:
# tcpdump -ni em1 host a.b.c.d and port 53 --- in addition --- Add the log option to the rules you wish to monitor, and you can use tcpdump(8) with the pflog(4) device to monitor PF rules being applied. Here are three examples, one for monitoring rules that log blocks, another to monitor rules that log passes, and the last to monitor both pass and block rules as they are applied to rules that log. # tcpdump -ni pflog0 action block # tcpdump -ni pflog0 action pass # tcpdump -ni pflog0
Last edited by jggimi; 23rd July 2015 at 11:37 PM. Reason: clarity, typo in the first tcpdump(8) filter. :) |
|
|||
I was running tcpdump -n -e -ttt -i pflog0
let me try it with your string and see what I can find. Thanks |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DNSCrypt and local Unbound resolver | Oko | OpenBSD Security | 1 | 28th December 2014 12:54 AM |
dnscrypt-proxy build errors? | gkbsd | OpenBSD Packages and Ports | 7 | 3rd May 2014 01:12 PM |
Security DNSCrypt: a tool to encrypt all DNS traffic | J65nko | News | 0 | 8th December 2011 08:13 PM |
Good VPN service? | guitarscn | Off-Topic | 2 | 15th December 2009 08:55 AM |
service prioritization | badguy | OpenBSD General | 1 | 29th July 2009 05:36 PM |