I have an APU2 running 6.2, acting as pf NAT gateway, DHCP server, and DNS cache (unbound) for my internal LAN.
I've attempted to make all DNS queries redirect to the APU2, as many examples have illustrated, so that they can be forwarded to OpenDNS (to take advantage of domain filtering). But it seems that it is still possible for queries to evade the redirection. Using dig as a concrete example, if I do the following simple query from a client, I get an answer from unbound as expected: $ dig openbsd.org ; <<>> DiG 9.4.2-P2 <<>> openbsd.org @192.168.2.1 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57692 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;openbsd.org. IN A ;; ANSWER SECTION: openbsd.org. 28755 IN A 129.128.5.194 ;; Query time: 217 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) ;; WHEN: Mon Nov 6 20:15:30 2017 ;; MSG SIZE rcvd: 45 However, if I specify an alternate DNS server, I get a response from that server: $ dig openbsd.org @8.8.8.8 ; <<>> DiG 9.4.2-P2 <<>> openbsd.org @8.8.8.8 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20902 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;openbsd.org. IN A ;; ANSWER SECTION: openbsd.org. 20716 IN A 129.128.5.194 ;; Query time: 19 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon Nov 6 20:19:21 2017 ;; MSG SIZE rcvd: 45 I expected to receive the answer from unbound on the APU2 at 192.168.2.1, not 8.8.8.8. However, even if that is not how dig is actually supposed to work, I can still see evidence where my LAN clients are able to go around the internal unbound. Relevant APU2 configurations are below. Omitting the unbound configuration as it seems unhelpful. I have verified that it works; just the redirection isn't working. What have I goofed up? Scott $ cat /etc/resolv.conf.tail search 123090.net lookup file bind options edns0 $ cat /etc/dhclient.conf send host-name "comet.123090.net"; supersede domain-name-servers 208.67.222.222, 208.67.220.220; $ cat /etc/dhcpd.conf option domain-name "123090.net"; subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.1; option domain-name-servers 192.168.2.1; range 192.168.2.2 192.168.2.199; } subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; option domain-name-servers 192.168.0.1; range 192.168.0.101 192.168.0.199; } $ doas cat /etc/pf.conf wired = "{ vether0 em1 em2 }" wifi = "athn0" wired_ip = "192.168.0.1" wifi_ip = "192.168.2.1" icmp_types = "{ echoreq, unreach }" udp_ports = "{ domain, ntp }" tcp_ports = "{ ssh, smtp, domain, www, pop3, auth, http, https, pop3s }" table <bad_ips> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \ 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, \ 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, \ 203.0.113.0/24, 224.0.0.0/3 } set block-policy drop set loginterface egress set skip on lo match in all scrub (no-df random-id) match out on egress set prio (5, 6) match in on $wifi set prio (5, 6) match proto tcp to port ssh set prio 7 match out on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for { egress, $wifi } block in quick log on egress from <bad_ips> to any block return out quick log on egress from any to <bad_ips> block in quick on egress from no-route to any block in quick on egress inet proto icmp all label "icmp-in" block all pass quick proto { tcp, udp } to port $udp_ports pass inet proto icmp icmp-type $icmp_types pass out on egress inet proto udp to port 33433:33626 pass inet proto tcp from $wifi:network to port $tcp_ports modulate state pass from { self, $wifi:network } modulate state pass in on $wired inet # Redirect DNS Queries pass in on $wifi proto { udp, tcp } from any to any port domain \ rdr-to $wifi_ip port domain label "dns-redirect" pass in on $wired proto { udp, tcp } from any to any port domain \ rdr-to $wired_ip port domain label "dns-redirect"