Hi,
many thanks for your quick answer,
I try to use your PF rule, and got the same answer from my DNS:
...
>> WARNING: recursion requested but not available
...
I need the DNS request RULE's for my PF
Any ideas?
BR
deface
On 08/29/18 12:34, Arnaud BRAND wrote:
> Le 2018-08-29 11:57, NN a écrit :
>> *Hi all,*
>>
>> *Its my first topic here =)
>> *
>>
>> *Please help me investigate DNS+PF issue. **
>> *
>>
>> *I have 2 VM on OpenBSD 6.3:*
>>
>> * VM#1 - Router with PF, IP:192.168.50.1*
>>
>> * VM#2 - DNS (as unbound), IP:192.168.50.2**
>> *
>>
>> *here is my pf.conf on VM#1:*
>>
>> int_if="{ vether0 re0 }"
>> set block-policy drop
>> set loginterface egress
>> set skip on lo0
>> match in all scrub (no-df random-id max-mss 1440)
>> match out on egress inet from !(egress:network) to any nat-to
>> (egress:0)
>> pass out quick inet
>> pass in on $int_if inet
>> pass in on egress inet proto { tcp, udp } from any to (egress)
>> port 53 rdr-to 192.168.50.2
>>
>> *I try to check how my Unbound DNS VM#2 working: *
>>
>> *# dig @192.168.50.1 google.com*
>>
>> ; <<>> DiG 9.4.2-P2 <<>> @192.168.50.1 google.com
>> ; (1 server found)
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2704
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;google.com. IN A
>>
>> ;; ANSWER SECTION:
>> google.com. 299 IN A 172.217.21.110
>>
>> ;; Query time: 35 msec
>> ;; SERVER: 192.168.50.1#53(192.168.178.100)
>> ;; WHEN: Wed Aug 29 11:35:57 2018
>> ;; MSG SIZE rcvd: 44
>>
>> *Looks good. But if I try to do it out of my local net ... with:*
>>
>> *# dig @external_IP google.com*
>>
>> ; <<>> DiG 9.4.2-P2 <<>> @external_IP google.com
>> ; (1 server found)
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24861
>> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available <<< <<< <<<
>> ???
>>
>> ;; SERVER: external_IP#53
>> ;; WHEN: Wed Aug 29 11:30:50 2018
>> ;; MSG SIZE rcvd: 12
>>
>> *I think that my PF config is wrong. Please help to investigate my
>> issue.*
>>
>> *P.S: unbound.conf is here ...*
>>
>> server:
>> # interface: 188.192.103.156
>> interface: 192.168.50.1
>> interface: 127.0.0.1
>> interface: ::1
>> access-control: 0.0.0.0/0 refuse
>> access-control: 127.0.0.0/8 allow
>> access-control: ::0/0 refuse
>> access-control: ::1 allow
>> access-control: 192.168.1.0/24 allow
>> access-control: 192.168.50.0/24 allow
>> access-control: 192.168.178.0/24 allow
>> do-not-query-localhost: no
>> hide-identity: yes
>> hide-version: yes
>> port: 53
>>
>> remote-control:
>> control-enable: yes
>> control-use-cert: no
>> control-interface: /var/run/unbound.sock
>>
>> forward-zone:
>> name: "."
>> forward-addr: 192.168.178.1 # fritz.box
>> forward-addr: 8.8.8.8 # google.com
>> forward-addr: 2001:4860:4860::8888 # google.com v6
>> forward-first: yes # try direct if forwarder fails
>>
>> Sorry for my English,
>>
>> BR
>>
>> deface
>
> Eh... something's off in your configs.
> You wrote:
> DNS (as unbound), IP:192.168.50.2
> But unbound.conf contains :
> interface: 192.168.50.1
> May be it's not used and redirected to 127.0.0.1 ?
>
> Anyway, are you trying to match DNS requests origintaing from the
> inside network and going to public DNS through egress and then
> redirecting these requests to unbound ?
> If so, I think you might want to add this rule :
> pass in on $int_if inet proto { tcp, udp } from !$UNBOUND_SERVER to
> any port 53 rdr-to $UNBOUND_SERVER
>
No comments:
Post a Comment