|
|||
Block external DNS
I share internet with kids, guests, and tenants living in the same house.
So I want surfing from my IP to be clean, and avoid slow net due to p2p. Tenants can use vpn to surf as they please. I use OpenDNS safe web DNS , and like to enforce that on my local network. Unbound is working, and dhcpd gives it to leases on the network. But can I set pf to block or enforce my unbound? This is my try. So a simple NAT router for home use. This I added to my pf.conf to "block" or redirect lan DNS request to my DNS server. Code:
# Force local DNS pass in on $int_if proto { udp, tcp } from any to any port domain rdr-to 192.168.0.1 port domain Any feedback for my pf.conf? I think I work. Code:
dig openbsd.org ; <<>> DiG 9.10.6 <<>> openbsd.org .... ;; ANSWER SECTION: openbsd.org. 14388 IN A 199.185.178.80 ;; Query time: 11 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Sun Apr 17 20:12:45 CEST 2022 ;; MSG SIZE rcvd: 56 Code:
dig @1.1.1.1 openbsd.org .... ;; ANSWER SECTION: openbsd.org. 14344 IN A 199.185.178.80 ;; Query time: 4 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Sun Apr 17 20:13:29 CEST 2022 ;; MSG SIZE rcvd: 56 pf.conf Code:
# Create blocks that are variable ext_if="em3" int_if="em0" icmp_types="echoreq" #Max new ssh connections 10 pr 7200s, pr ip pass quick proto tcp from any to any port 22 \ flags S/SA keep state \ (max-src-conn 5, max-src-conn-rate 50/7200, \ overload <bruters> flush global) # Skip all loopback traffic set skip on lo # Perform NAT on external interface match out on $ext_if from $int_if:network to any nat-to $ext_if # Define default behavior block in pass out keep state # Allow inbound traffic on internal interface pass on $int_if # Force local DNS pass in on $int_if proto { udp, tcp } from any to any port domain rdr-to 192.168.0.1 port domain # Protect against spoofing antispoof quick for { lo $int_if } # Allow other traffic pass in on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep state |
|
||||
You are redirecting parts of DNS, but not all of it. Your rule only redirects plaintext DNS traffic. You are passing DNS over HTTPS (the default for many browsers), and you are also passing DNS over TLS.
https://en.wikipedia.org/wiki/DNS_over_HTTPS https://en.wikipedia.org/wiki/DNS_over_TLS Additionally, it looks to me like your redirect will cause a traffic loop if the nameserver's resolution traffic is plaintext DNS, and if the nameserver is located on a system behind the firewall. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
To block Facebook with PF | sabrina | OpenBSD Security | 7 | 18th November 2020 11:19 PM |
PF block everything | dnslc | OpenBSD Security | 4 | 1st October 2020 07:26 AM |
PF block in / block in all | sputnik | OpenBSD Security | 5 | 28th September 2020 11:31 PM |
Block IDM-DAP-P2P | mohammadreza | OpenBSD Security | 5 | 25th February 2010 09:59 AM |
block spam | milo974 | OpenBSD Security | 1 | 26th May 2009 11:30 AM |