Le 2018-08-29 11:57, NN a écrit :
> *Hi all,*
>
> *Its my first topic here =)
> *
>
> *Please help me investigate DNS+PF issue. **
> *
>
> *I have 2 VM on OpenBSD 6.3:*
>
> * VM#1 - Router with PF, IP:192.168.50.1*
>
> * VM#2 - DNS (as unbound), IP:192.168.50.2**
> *
>
> *here is my pf.conf on VM#1:*
>
> int_if="{ vether0 re0 }"
> set block-policy drop
> set loginterface egress
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to
> (egress:0)
> pass out quick inet
> pass in on $int_if inet
> pass in on egress inet proto { tcp, udp } from any to (egress)
> port 53 rdr-to 192.168.50.2
>
> *I try to check how my Unbound DNS VM#2 working: *
>
> *# dig @192.168.50.1 google.com*
>
> ; <<>> DiG 9.4.2-P2 <<>> @192.168.50.1 google.com
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2704
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> 0
>
> ;; QUESTION SECTION:
> ;google.com. IN A
>
> ;; ANSWER SECTION:
> google.com. 299 IN A 172.217.21.110
>
> ;; Query time: 35 msec
> ;; SERVER: 192.168.50.1#53(192.168.178.100)
> ;; WHEN: Wed Aug 29 11:35:57 2018
> ;; MSG SIZE rcvd: 44
>
> *Looks good. But if I try to do it out of my local net ... with:*
>
> *# dig @external_IP google.com*
>
> ; <<>> DiG 9.4.2-P2 <<>> @external_IP google.com
> ; (1 server found)
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24861
> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available <<< <<< <<<
> ???
>
> ;; SERVER: external_IP#53
> ;; WHEN: Wed Aug 29 11:30:50 2018
> ;; MSG SIZE rcvd: 12
>
> *I think that my PF config is wrong. Please help to investigate my
> issue.*
>
> *P.S: unbound.conf is here ...*
>
> server:
> # interface: 188.192.103.156
> interface: 192.168.50.1
> interface: 127.0.0.1
> interface: ::1
> access-control: 0.0.0.0/0 refuse
> access-control: 127.0.0.0/8 allow
> access-control: ::0/0 refuse
> access-control: ::1 allow
> access-control: 192.168.1.0/24 allow
> access-control: 192.168.50.0/24 allow
> access-control: 192.168.178.0/24 allow
> do-not-query-localhost: no
> hide-identity: yes
> hide-version: yes
> port: 53
>
> remote-control:
> control-enable: yes
> control-use-cert: no
> control-interface: /var/run/unbound.sock
>
> forward-zone:
> name: "."
> forward-addr: 192.168.178.1 # fritz.box
> forward-addr: 8.8.8.8 # google.com
> forward-addr: 2001:4860:4860::8888 # google.com v6
> forward-first: yes # try direct if forwarder fails
>
> Sorry for my English,
>
> BR
>
> deface
Eh... something's off in your configs.
You wrote:
DNS (as unbound), IP:192.168.50.2
But unbound.conf contains :
interface: 192.168.50.1
May be it's not used and redirected to 127.0.0.1 ?
Anyway, are you trying to match DNS requests origintaing from the inside
network and going to public DNS through egress and then redirecting
these requests to unbound ?
If so, I think you might want to add this rule :
pass in on $int_if inet proto { tcp, udp } from !$UNBOUND_SERVER to any
port 53 rdr-to $UNBOUND_SERVER
No comments:
Post a Comment