The pfSense Store

Author Topic: DNS Resolver  (Read 67719 times)

0 Members and 1 Guest are viewing this topic.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 264
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #30 on: November 03, 2014, 04:50:12 am »
The resolver is forwarding requests to my providers DNS instead of querying the root domain name servers. You can test this by going to https://www.dnsleaktest.com/

How can I configure it not to do this?

Go to System/General Setup-  DNS Servers...   

Uncheck- " Allow DNS server list to be overridden by DHCP/PPP on WAV"

Check-  "Do not use the DNS Forwarder as a DNS server for the firewall"

Yes, I have it set like this and it still does it anyway.

Are you using dhcp? if yes, you have to put the ip from the interface you're using in dns servers so it can be assigned to leases.

Offline pyrodex

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: DNS Resolver
« Reply #31 on: November 04, 2014, 06:22:43 pm »
After each update I've noticed unbound won't start on a reboot. I've got to go in and save the settings and then it will start. Here is what I see in the logs each time:

Code: [Select]
Nov  1 18:22:07 firewall unbound: [80205:0] error: can't bind socket: Can't assign requested address
Nov  1 18:22:07 firewall unbound: [80205:0] debug: failed address fe80::250:56ff:fe1a:1b1c port 42698

I merely just update and reboot. Then to correct I simply go into the settings and hit SAVE and that lets it recover.

Offline dstroot

  • Jr. Member
  • **
  • Posts: 80
  • Karma: +3/-0
    • View Profile
Re: DNS Resolver
« Reply #32 on: November 05, 2014, 12:12:03 pm »
Quote
Are you using dhcp? if yes, you have to put the ip from the interface you're using in dns servers so it can be assigned to leases.

This was a key point - thanks. 

Offline Tikimotel

  • Full Member
  • ***
  • Posts: 201
  • Karma: +11/-0
    • View Profile
Re: DNS Resolver
« Reply #33 on: November 08, 2014, 03:05:38 am »
DNS Spoofabillity test: https://www.grc.com/dns/dns.htm

Quote
DNS Nameserver Access Details
External Ping:   ignored   (Nice, as it's preferable for it to be less visible.)
External Query:   ignored   (This means the nameserver is more spoof resistant.)
DNSSEC Security:   supported   (This server supports improved security standards.)
---> Alphabetic Case:   mixed   (Extra bits of entropy are present in these queries!)  <---
Extra Anti-Spoofing:   unknown   (Unable to obtain server fingerprint.)
I've added the options below into the unbound config on my pfsense v2.1.5 in order to get the extra bits of entropy for the alphabetic case test.
Code: [Select]
use-caps-for-id: yes
val-clean-additional: yes
I wonder if these are available by default, or switchable settings in the new pfsense 2.2 builds?

Quote on the alphabetic case test:
Quote
Alphabetic Case:
The DNS system is not sensitive to alphabetic case, so the domain “WWW.GRC.COM” is identical to “www.grc.com”. DNS is designed to ignore but preserve the alphabetic case used in queries and replies. This creates an opportunity for a DNS resolver to add additional unknown bits of “entropy” to its queries by randomly changing the case of any alphabetic characters in the queried domain name. When replies are received, only the valid replying nameserver that received the mixed-case query could know the proper case for its reply. No spoofing server would know. This would give a clever resolver another way to reject spoofed replies. We know of no nameservers that are deliberately mixing case in this way, but through this test we are helping you to keep your eye out for any.

Offline dstroot

  • Jr. Member
  • **
  • Posts: 80
  • Karma: +3/-0
    • View Profile
Re: DNS Resolver
« Reply #34 on: November 09, 2014, 04:03:44 pm »
Still not seeing host overrides work.


Code: [Select]
❯ dig doubleclick.net

; <<>> DiG 9.8.3-P1 <<>> doubleclick.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37689
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;doubleclick.net. IN A

;; ANSWER SECTION:
doubleclick.net. 3600 IN A 70.32.146.212

;; Query time: 105 msec
;; SERVER: 192.168.15.1#53(192.168.15.1)
;; WHEN: Sun Nov  9 14:00:46 2014
;; MSG SIZE  rcvd: 49



Offline Hugovsky

  • Full Member
  • ***
  • Posts: 264
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #35 on: November 09, 2014, 04:16:48 pm »
It works for me but, I have to send it to 0.0.0.0, not 127.0.0.1.

Offline dstroot

  • Jr. Member
  • **
  • Posts: 80
  • Karma: +3/-0
    • View Profile
Re: DNS Resolver
« Reply #36 on: November 09, 2014, 07:09:49 pm »
Hmmm - I'm on the latest beta, tried 0.0.0.0 and 127.0.0.1.  Still no joy.  Will look into this further tomorrow.

Offline dstroot

  • Jr. Member
  • **
  • Posts: 80
  • Karma: +3/-0
    • View Profile
Re: DNS Resolver
« Reply #37 on: November 10, 2014, 09:23:25 am »
My bad.  I wasn't filling it out correctly - it works if you do it as I show in the attached.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 264
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #38 on: November 12, 2014, 08:57:49 am »
Can I pass "include: /etc/unbound/local-blocking-data.conf" in the advanced field of the resolver? I want to block some domains.

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 264
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #39 on: November 12, 2014, 03:10:47 pm »
Apparently the options in the advanced field are not parsed to the config file. Am I doing it wrong?

Offline Escorpiom

  • Jr. Member
  • **
  • Posts: 89
  • Karma: +8/-1
    • View Profile
Re: DNS Resolver
« Reply #40 on: November 12, 2014, 05:33:33 pm »
I'm sorry to say that Unbound in 2.2 beta has (still) issues:

Code: [Select]
Nov 12 18:21:42 unbound: [94783:0] notice: Restart of unbound 1.4.22.
Nov 12 18:21:42 unbound: [94783:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024. Config for less fds or compile with libevent
Nov 12 18:21:42 unbound: [94783:0] warning: continuing with less udp ports: 91

I've seen this a couple of times here, but no solution was found.
From what can be found on the web, it seems to be a problem with multicore cpu's (mine's a 2558 SOC).
The "Number of queries per thread" in the web interface shows 512, but in the actual config file it's still set at 1024.

The value should sit around 250 for a 4-core cpu, not exceeding a total of 1024.
Manually adjusting the Unbound config is no use, after saving a change in the admin interface, it resets to 1024 again.

This issue is causing Unbound to restart and when it does, delays the DNS lookups.
Old bug that really need to be fixed.

Cheers.
« Last Edit: November 12, 2014, 05:36:44 pm by Escorpiom »

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 264
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #41 on: November 13, 2014, 08:26:41 am »
Seems some options are not parsed to the config file. I've already posted about the advanced field, but I've found another:

2.2-BETA (amd64)
built on Thu Nov 13 06:05:47 CST 2014
FreeBSD 10.1-RELEASE

check in the config file below and check the pic:



/var/unbound: cat unbound.conf
##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 1024
jostle-timeout: 200
infra-host-ttl: 900
infra-lame-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
msg-cache-size: 4m
rrset-cache-size: 8m
outgoing-range: 462
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# Interface IP(s) to bind to
interface: 192.168.50.1
interface: 10.1.2.1
interface: 192.168.51.1
interface: 127.0.0.1
interface: ::1

# Outgoing interfaces to be used
outgoing-interface: #####
outgoing-interface: #####


# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 192.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address
private-domain: "hsnetworks"
domain-insecure: "hsnetworks"


# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf




###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

(edited to include snapshot version)
« Last Edit: November 13, 2014, 08:36:55 am by Hugovsky »

Offline Hugovsky

  • Full Member
  • ***
  • Posts: 264
  • Karma: +6/-0
    • View Profile
Re: DNS Resolver
« Reply #42 on: November 13, 2014, 08:55:50 am »
More info on this:

although the config file of unbound doesn't have it, config.xml does have the right settings:

   <custom_options>include:/var/unbound/local-blocking-data.conf</custom_options>
      <dnssec/>
      <prefetch/>
      <prefetchkey/>
      <msgcachesize>4</msgcachesize>
      <outgoing_num_tcp>0</outgoing_num_tcp>
      <incoming_num_tcp>0</incoming_num_tcp>
      <edns_buffer_size>1480</edns_buffer_size>
      <num_queries_per_thread>512</num_queries_per_thread>
      <jostle_timeout>100</jostle_timeout>

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: DNS Resolver
« Reply #43 on: November 13, 2014, 09:46:11 am »
The code in /etc/inc/unbound.inc simply does not implement the settings into the conf file.
I am looking at this. It will be easy to finish the implementation - pull request in 1 hour hopefully.
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

Offline phil.davis

  • Hero Member
  • *****
  • Posts: 4612
  • Karma: +550/-3
    • View Profile
    • International Nepal Fellowship
Re: DNS Resolver
« Reply #44 on: November 13, 2014, 10:58:45 am »
Pull request: https://github.com/pfsense/pfsense/pull/1336

That makes it implement all the parameters that can be specified in the "Advanced" section (the custom options box) and on the "Advanced" tab. unbound.conf has all this stuff now after pressing Apply.

And it took me 72 minutes between posts - there were a few little extra bits to think about, software project estimation is never an exact science, and I actually tested it also  ;)
« Last Edit: November 13, 2014, 11:14:32 am by phil.davis »
As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/