Solved Block queries to some nameservers

lib13

Active Member

Reaction score: 4
Messages: 120

Having a in-home unbound server for dns queries, I'd like to block queries to other dns nameservers.
Take the example of the 8.8.8.8 server.
re0 is the network interface that connects to the router, also a FreeBSD box running a dns server.
re0 is part of bridge10 as for vnet jails to have access to the Internet.


The output
Code:
# ifconfig -a
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether d4:5d:5d:5d:5d:5d
        inet 192.168.1.30 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog
bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: qjail_vnet_jail_only_bridge
        ether 58:9c:9c:9c:9c:9c
        inet 192.168.3.2 netmask 0xffffff00 broadcast 192.168.3.255
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 2000
        groups: bridge
        nd6 options=9<PERFORMNUD,IFDISABLED>
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: qjail_vnet_jail_xbrowser
        options=8<VLAN_MTU>
        ether 02:25:25:25:25:25
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

The rules in the /etc/pf.conf file list as:

Code:
# pfctl -s rules
scrub in all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop in quick on ! re0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.30 to any
block drop in on re0 all
block return in log all
block drop out quick on re0 inet proto udp from any to 8.8.8.8 port = domain
block drop out quick on re0 inet proto tcp from any to 8.8.8.8 port = domain
pass out all flags S/SA keep state
pass out on re0 proto tcp from any to any port = ssh flags S/SA keep state queue(high, ssh)
block drop in log quick on re0 inet from <__automatic_6e8edf3f_0> to any
block drop out log quick on re0 inet from any to <__automatic_6e8edf3f_1>
pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach keep state


I was expecting not being able to use the 8.8.8.8 nameserver, but it's still possible.

Code:
# drill +short google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 344
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     39      IN      A       216.58.215.142

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 17 msec
;; SERVER: 8.8.8.8

What is wrong with my setup, how to be able to block queries to a nameserver?
 

Lamia

Aspiring Daemon

Reaction score: 207
Messages: 770

Why not block at gateway/firewall/router level? If you were using {OPN,PF}Sense, you could easily do that. And I'm sure other firewalls too. I also think you can set the forward recursive servers to use in unbound.conf and resolv.conf.
 
OP
L

lib13

Active Member

Reaction score: 4
Messages: 120

Somehow, I missed the step of joining re0 to the bridge... Thank you SirDice.
I don't know if that was the issue or not, but the rules seem to work now.

Lamia, yes I could do it at the router, but the rules would be similar.
 
Top