Hi,
All is working for me with new ACL Rule:
access-control: 0.0.0.0/0 allow
Many Thanks Solène Rapenne !
ISSUE is closed.
P.S.
Why opening unbound to the internet is a bad idea ???
Thx.
On 08/29/18 12:51, Solène Rapenne wrote:
> Le 2018-08-29 12:41, NN a écrit :
>> Hi,
>>
>> many thanks for your quick answer,
>> I try to use your PF rule, and got the same answer from my DNS:
>>
>> ...
>> >> WARNING: recursion requested but not available
>> ...
>>
>> I need the DNS request RULE's for my PF
>> Any ideas?
>>
>> BR
>> deface
>>
>>
>> On 08/29/18 12:34, Arnaud BRAND wrote:
>>> Le 2018-08-29 11:57, NN a écrit :
>>>> *Hi all,*
>>>>
>>>> *Its my first topic here =)
>>>> *
>>>>
>>>> *Please help me investigate DNS+PF issue. **
>>>> *
>>>>
>>>> *I have 2 VM on OpenBSD 6.3:*
>>>>
>>>> * VM#1 - Router with PF, IP:192.168.50.1*
>>>>
>>>> * VM#2 - DNS (as unbound), IP:192.168.50.2**
>>>> *
>>>>
>>>> *here is my pf.conf on VM#1:*
>>>>
>>>> int_if="{ vether0 re0 }"
>>>> set block-policy drop
>>>> set loginterface egress
>>>> set skip on lo0
>>>> match in all scrub (no-df random-id max-mss 1440)
>>>> match out on egress inet from !(egress:network) to any nat-to
>>>> (egress:0)
>>>> pass out quick inet
>>>> pass in on $int_if inet
>>>> pass in on egress inet proto { tcp, udp } from any to (egress)
>>>> port 53 rdr-to 192.168.50.2
>>>>
>>>> *I try to check how my Unbound DNS VM#2 working: *
>>>>
>>>> *# dig @192.168.50.1 google.com*
>>>>
>>>> ; <<>> DiG 9.4.2-P2 <<>> @192.168.50.1 google.com
>>>> ; (1 server found)
>>>> ;; global options: printcmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2704
>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
>>>> ADDITIONAL: 0
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;google.com. IN A
>>>>
>>>> ;; ANSWER SECTION:
>>>> google.com. 299 IN A 172.217.21.110
>>>>
>>>> ;; Query time: 35 msec
>>>> ;; SERVER: 192.168.50.1#53(192.168.178.100)
>>>> ;; WHEN: Wed Aug 29 11:35:57 2018
>>>> ;; MSG SIZE rcvd: 44
>>>>
>>>> *Looks good. But if I try to do it out of my local net ... with:*
>>>>
>>>> *# dig @external_IP google.com*
>>>>
>>>> ; <<>> DiG 9.4.2-P2 <<>> @external_IP google.com
>>>> ; (1 server found)
>>>> ;; global options: printcmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24861
>>>> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>>>> ;; WARNING: recursion requested but not available <<< <<<
>>>> <<< ???
>>>>
>>>> ;; SERVER: external_IP#53
>>>> ;; WHEN: Wed Aug 29 11:30:50 2018
>>>> ;; MSG SIZE rcvd: 12
>>>>
>>>> *I think that my PF config is wrong. Please help to investigate my
>>>> issue.*
>>>>
>>>> *P.S: unbound.conf is here ...*
>>>>
>>>> server:
>>>> # interface: 188.192.103.156
>>>> interface: 192.168.50.1
>>>> interface: 127.0.0.1
>>>> interface: ::1
>>>> access-control: 0.0.0.0/0 refuse
>>>> access-control: 127.0.0.0/8 allow
>>>> access-control: ::0/0 refuse
>>>> access-control: ::1 allow
>>>> access-control: 192.168.1.0/24 allow
>>>> access-control: 192.168.50.0/24 allow
>>>> access-control: 192.168.178.0/24 allow
>>>> do-not-query-localhost: no
>>>> hide-identity: yes
>>>> hide-version: yes
>>>> port: 53
>>>>
>>>> remote-control:
>>>> control-enable: yes
>>>> control-use-cert: no
>>>> control-interface: /var/run/unbound.sock
>>>>
>>>> forward-zone:
>>>> name: "."
>>>> forward-addr: 192.168.178.1 # fritz.box
>>>> forward-addr: 8.8.8.8 # google.com
>>>> forward-addr: 2001:4860:4860::8888 # google.com v6
>>>> forward-first: yes # try direct if forwarder fails
>>>>
>>>> Sorry for my English,
>>>>
>>>> BR
>>>>
>>>> deface
>>>
>>> Eh... something's off in your configs.
>>> You wrote:
>>> DNS (as unbound), IP:192.168.50.2
>>> But unbound.conf contains :
>>> interface: 192.168.50.1
>>> May be it's not used and redirected to 127.0.0.1 ?
>>>
>>> Anyway, are you trying to match DNS requests origintaing from the
>>> inside network and going to public DNS through egress and then
>>> redirecting these requests to unbound ?
>>> If so, I think you might want to add this rule :
>>> pass in on $int_if inet proto { tcp, udp } from !$UNBOUND_SERVER to
>>> any port 53 rdr-to $UNBOUND_SERVER
>>>
>
> you have to allow your IP in unbound.conf, look at your rules:
>
> access-control: 0.0.0.0/0 refuse
> access-control: 127.0.0.0/8 allow
> access-control: ::0/0 refuse
> access-control: ::1 allow
> access-control: 192.168.1.0/24 allow
> access-control: 192.168.50.0/24 allow
> access-control: 192.168.178.0/24 allow
>
> if you are not in the last 3 ranges specified, you won't be allowed
> to make a request.
>
> Note: Opening unbound to the internet is a bad idea.
>
No comments:
Post a Comment