Open 0xShkk opened 4 months ago
You may just want to check /etc/resolv.conf beforehand.
By setting Do not use the local DNS service as a nameserver for this system in combination with no other DNS servers set for system, no DNS lookups should be possible for the OPNsense host system.
https://man.freebsd.org/cgi/man.cgi?resolv.conf If no nameserver entries are present, the default is to use the name server on the local machine
Yeah sounds like it, but in any case /etc/resolv.conf
contents would be helpful to pinpoint.
Content in my /etc/resolv.conf
is only the following
domain local
search local
@0xShkk so it works like it should? i don't think that Do not use the local DNS service as a nameserver for this system
is intended for local name resolution breaking - just for excluding localhost from nameservers. if you realy need to break local name resolution you can specify some unreachable server:port or block local request via pf (better be careful)
Possibly we could avoid setting this if both dns from ISP and local resolving are refused requiring to add explicit servers but there are more scenarious where this breaks (ISP not sending you any) and it's the first time anyone cared and it's probably better to not let a DNS listen on 127.0.0.1 then...
Yea actually it works as designed...
However I was confused by the gui settings. Maybe you could add a floating message or similar when the checkbox is checked and no nameservers are set to make aware of FreeBSD name resolution logic.
In my scenario, I think I will reconfigure dnscrypt proxy to not be the system DNS by let it listen on something different than 53 and then Port fwd the clients to it in the nets where they need access.
Thanks for your kind support. This can be closed from my side.
Describe the bug
I am using the dnscrypt-proxy plugin for the local system DNS. Dnscrypt is configured to act as the local system DNS by listening on
0.0.0.0:53
as described in the documentation. However, the OPNsense settingDo not use the local DNS service as a nameserver for this system
is checked but still DNScrypt proxy is used for resolving DNS queries originating from the local OPNsense system. OPNsense version is 24.1.2To Reproduce
0.0.0.0:53
Do not use the local DNS service as a nameserver for this system
inSystem
->Settings
->General
Expected behavior
By setting
Do not use the local DNS service as a nameserver for this system
in combination with no other DNS servers set for system, no DNS lookups should be possible for the OPNsense host system.