I have an APU2 running 6.2, acting as pf NAT gateway, DHCP server, and
DNS cache (unbound) for my internal LAN.
I've attempted to make all DNS queries redirect to the APU2, as many
examples have illustrated, so that they can be forwarded to OpenDNS (to
take advantage of domain filtering). But it seems that it is still
possible for queries to evade the redirection.
Using dig as a concrete example, if I do the following simple
query from a client, I get an answer from unbound as expected:
$ dig openbsd.org
; <<>> DiG 9.4.2-P2 <<>> openbsd.org @192.168.2.1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57692
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;openbsd.org. IN A
;; ANSWER SECTION:
openbsd.org. 28755 IN A 129.128.5.194
;; Query time: 217 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Mon Nov 6 20:15:30 2017
;; MSG SIZE rcvd: 45
However, if I specify an alternate DNS server, I get a response from
that server:
$ dig openbsd.org @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> openbsd.org @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20902
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;openbsd.org. IN A
;; ANSWER SECTION:
openbsd.org. 20716 IN A 129.128.5.194
;; Query time: 19 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 6 20:19:21 2017
;; MSG SIZE rcvd: 45
I expected to receive the answer from unbound on the APU2 at
192.168.2.1, not 8.8.8.8. However, even if that is not how dig is
actually supposed to work, I can still see evidence where my LAN
clients are able to go around the internal unbound. Relevant APU2
configurations are below. Omitting the unbound configuration as it
seems unhelpful. I have verified that it works; just the
redirection isn't working.
What have I goofed up?
Scott
$ cat /etc/resolv.conf.tail
search 123090.net
lookup file bind
options edns0
$ cat /etc/dhclient.conf
send host-name "comet.123090.net";
supersede domain-name-servers 208.67.222.222, 208.67.220.220;
$ cat /etc/dhcpd.conf
option domain-name "123090.net";
subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
option domain-name-servers 192.168.2.1;
range 192.168.2.2 192.168.2.199;
}
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
range 192.168.0.101 192.168.0.199;
}
$ doas cat /etc/pf.conf
wired = "{ vether0 em1 em2 }"
wifi = "athn0"
wired_ip = "192.168.0.1"
wifi_ip = "192.168.2.1"
icmp_types = "{ echoreq, unreach }"
udp_ports = "{ domain, ntp }"
tcp_ports = "{ ssh, smtp, domain, www, pop3, auth, http, https, pop3s }"
table <bad_ips> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \
172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, \
192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, \
203.0.113.0/24, 224.0.0.0/3 }
set block-policy drop
set loginterface egress
set skip on lo
match in all scrub (no-df random-id)
match out on egress set prio (5, 6)
match in on $wifi set prio (5, 6)
match proto tcp to port ssh set prio 7
match out on egress inet from !(egress:network) to any nat-to (egress:0)
antispoof quick for { egress, $wifi }
block in quick log on egress from <bad_ips> to any
block return out quick log on egress from any to <bad_ips>
block in quick on egress from no-route to any
block in quick on egress inet proto icmp all label "icmp-in"
block all
pass quick proto { tcp, udp } to port $udp_ports
pass inet proto icmp icmp-type $icmp_types
pass out on egress inet proto udp to port 33433:33626
pass inet proto tcp from $wifi:network to port $tcp_ports modulate state
pass from { self, $wifi:network } modulate state
pass in on $wired inet
# Redirect DNS Queries
pass in on $wifi proto { udp, tcp } from any to any port domain \
rdr-to $wifi_ip port domain label "dns-redirect"
pass in on $wired proto { udp, tcp } from any to any port domain \
rdr-to $wired_ip port domain label "dns-redirect"
