DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th April 2022
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default Block external DNS

I share internet with kids, guests, and tenants living in the same house.
So I want surfing from my IP to be clean, and avoid slow net due to p2p. Tenants can use vpn to surf as they please. I use OpenDNS safe web DNS , and like to enforce that on my local network.
Unbound is working, and dhcpd gives it to leases on the network.
But can I set pf to block or enforce my unbound? This is my try.

So a simple NAT router for home use.

This I added to my pf.conf to "block" or redirect lan DNS request to my DNS server.

Code:
# Force local DNS
pass in on $int_if proto { udp, tcp } from any to any port domain rdr-to 192.168.0.1 port domain

Any feedback for my pf.conf?

I think I work.

Code:
dig openbsd.org

; <<>> DiG 9.10.6 <<>> openbsd.org
....
;; ANSWER SECTION:
openbsd.org.		14388	IN	A	199.185.178.80

;; Query time: 11 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sun Apr 17 20:12:45 CEST 2022
;; MSG SIZE  rcvd: 56

Code:
dig @1.1.1.1 openbsd.org
....
;; ANSWER SECTION:
openbsd.org.		14344	IN	A	199.185.178.80

;; Query time: 4 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Apr 17 20:13:29 CEST 2022
;; MSG SIZE  rcvd: 56

pf.conf
Code:
# Create blocks that are variable
ext_if="em3"
int_if="em0"
icmp_types="echoreq"

#Max new ssh connections 10 pr 7200s, pr ip
pass quick proto tcp from any to any port 22 \
        flags S/SA keep state \
        (max-src-conn 5, max-src-conn-rate 50/7200, \
        overload <bruters> flush global)

# Skip all loopback traffic
set skip on lo

# Perform NAT on external interface
match out on $ext_if from $int_if:network to any nat-to $ext_if

# Define default behavior
block in
pass out keep state

# Allow inbound traffic on internal interface
pass on $int_if

# Force local DNS
pass in on $int_if proto { udp, tcp } from any to any port domain rdr-to 192.168.0.1 port domain

# Protect against spoofing
antispoof quick for { lo $int_if }

# Allow other traffic
pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state
Reply With Quote
  #2   (View Single Post)  
Old 17th April 2022
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You are redirecting parts of DNS, but not all of it. Your rule only redirects plaintext DNS traffic. You are passing DNS over HTTPS (the default for many browsers), and you are also passing DNS over TLS.

https://en.wikipedia.org/wiki/DNS_over_HTTPS

https://en.wikipedia.org/wiki/DNS_over_TLS

Additionally, it looks to me like your redirect will cause a traffic loop if the nameserver's resolution traffic is plaintext DNS, and if the nameserver is located on a system behind the firewall.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
To block Facebook with PF sabrina OpenBSD Security 7 18th November 2020 11:19 PM
PF block everything dnslc OpenBSD Security 4 1st October 2020 07:26 AM
PF block in / block in all sputnik OpenBSD Security 5 28th September 2020 11:31 PM
Block IDM-DAP-P2P mohammadreza OpenBSD Security 5 25th February 2010 09:59 AM
block spam milo974 OpenBSD Security 1 26th May 2009 11:30 AM


All times are GMT. The time now is 08:32 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick