Le 2018-08-29 12:41, NN a écrit :
> Hi,
>
> many thanks for your quick answer,
> I try to use your PF rule, and got the same answer from my DNS:
>
> ...
> >> WARNING: recursion requested but not available
> ...
>
> I need the DNS request RULE's for my PF
> Any ideas?
>
> BR
> deface
>
>
> On 08/29/18 12:34, Arnaud BRAND wrote:
>> Le 2018-08-29 11:57, NN a écrit :
>>> *Hi all,*
>>>
>>> *Its my first topic here =)
>>> *
>>>
>>> *Please help me investigate DNS+PF issue. **
>>> *
>>>
>>> *I have 2 VM on OpenBSD 6.3:*
>>>
>>> * VM#1 - Router with PF, IP:192.168.50.1*
>>>
>>> * VM#2 - DNS (as unbound), IP:192.168.50.2**
>>> *
>>>
>>> *here is my pf.conf on VM#1:*
>>>
>>> int_if="{ vether0 re0 }"
>>> set block-policy drop
>>> set loginterface egress
>>> set skip on lo0
>>> match in all scrub (no-df random-id max-mss 1440)
>>> match out on egress inet from !(egress:network) to any nat-to
>>> (egress:0)
>>> pass out quick inet
>>> pass in on $int_if inet
>>> pass in on egress inet proto { tcp, udp } from any to (egress)
>>> port 53 rdr-to 192.168.50.2
>>>
>>> *I try to check how my Unbound DNS VM#2 working: *
>>>
>>> *# dig @192.168.50.1 google.com*
>>>
>>> ; <<>> DiG 9.4.2-P2 <<>> @192.168.50.1 google.com
>>> ; (1 server found)
>>> ;; global options: printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2704
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
>>> ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;google.com. IN A
>>>
>>> ;; ANSWER SECTION:
>>> google.com. 299 IN A 172.217.21.110
>>>
>>> ;; Query time: 35 msec
>>> ;; SERVER: 192.168.50.1#53(192.168.178.100)
>>> ;; WHEN: Wed Aug 29 11:35:57 2018
>>> ;; MSG SIZE rcvd: 44
>>>
>>> *Looks good. But if I try to do it out of my local net ... with:*
>>>
>>> *# dig @external_IP google.com*
>>>
>>> ; <<>> DiG 9.4.2-P2 <<>> @external_IP google.com
>>> ; (1 server found)
>>> ;; global options: printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24861
>>> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>> ;; WARNING: recursion requested but not available <<< <<< <<<
>>> ???
>>>
>>> ;; SERVER: external_IP#53
>>> ;; WHEN: Wed Aug 29 11:30:50 2018
>>> ;; MSG SIZE rcvd: 12
>>>
>>> *I think that my PF config is wrong. Please help to investigate my
>>> issue.*
>>>
>>> *P.S: unbound.conf is here ...*
>>>
>>> server:
>>> # interface: 188.192.103.156
>>> interface: 192.168.50.1
>>> interface: 127.0.0.1
>>> interface: ::1
>>> access-control: 0.0.0.0/0 refuse
>>> access-control: 127.0.0.0/8 allow
>>> access-control: ::0/0 refuse
>>> access-control: ::1 allow
>>> access-control: 192.168.1.0/24 allow
>>> access-control: 192.168.50.0/24 allow
>>> access-control: 192.168.178.0/24 allow
>>> do-not-query-localhost: no
>>> hide-identity: yes
>>> hide-version: yes
>>> port: 53
>>>
>>> remote-control:
>>> control-enable: yes
>>> control-use-cert: no
>>> control-interface: /var/run/unbound.sock
>>>
>>> forward-zone:
>>> name: "."
>>> forward-addr: 192.168.178.1 # fritz.box
>>> forward-addr: 8.8.8.8 # google.com
>>> forward-addr: 2001:4860:4860::8888 # google.com v6
>>> forward-first: yes # try direct if forwarder fails
>>>
>>> Sorry for my English,
>>>
>>> BR
>>>
>>> deface
>>
>> Eh... something's off in your configs.
>> You wrote:
>> DNS (as unbound), IP:192.168.50.2
>> But unbound.conf contains :
>> interface: 192.168.50.1
>> May be it's not used and redirected to 127.0.0.1 ?
>>
>> Anyway, are you trying to match DNS requests origintaing from the
>> inside network and going to public DNS through egress and then
>> redirecting these requests to unbound ?
>> If so, I think you might want to add this rule :
>> pass in on $int_if inet proto { tcp, udp } from !$UNBOUND_SERVER to
>> any port 53 rdr-to $UNBOUND_SERVER
>>
you have to allow your IP in unbound.conf, look at your rules:
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: 192.168.1.0/24 allow
access-control: 192.168.50.0/24 allow
access-control: 192.168.178.0/24 allow
if you are not in the last 3 ranges specified, you won't be allowed
to make a request.
Note: Opening unbound to the internet is a bad idea.
No comments:
Post a Comment