search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.09k stars 701 forks source link

Local nameserver still used for DNS even if advised not to do #7272

Open 0xShkk opened 4 months ago

0xShkk commented 4 months ago

Describe the bug

I am using the dnscrypt-proxy plugin for the local system DNS. Dnscrypt is configured to act as the local system DNS by listening on 0.0.0.0:53 as described in the documentation. However, the OPNsense setting Do not use the local DNS service as a nameserver for this system is checked but still DNScrypt proxy is used for resolving DNS queries originating from the local OPNsense system. OPNsense version is 24.1.2

To Reproduce

Expected behavior

By setting Do not use the local DNS service as a nameserver for this system in combination with no other DNS servers set for system, no DNS lookups should be possible for the OPNsense host system.

fichtner commented 4 months ago

You may just want to check /etc/resolv.conf beforehand.

kulikov-a commented 4 months ago

By setting Do not use the local DNS service as a nameserver for this system in combination with no other DNS servers set for system, no DNS lookups should be possible for the OPNsense host system.

https://man.freebsd.org/cgi/man.cgi?resolv.conf If no nameserver entries are present, the default is to use the name server on the local machine

fichtner commented 4 months ago

Yeah sounds like it, but in any case /etc/resolv.conf contents would be helpful to pinpoint.

0xShkk commented 4 months ago

Content in my /etc/resolv.conf is only the following 

domain local
search local
kulikov-a commented 4 months ago

@0xShkk so it works like it should? i don't think that Do not use the local DNS service as a nameserver for this system is intended for local name resolution breaking - just for excluding localhost from nameservers. if you realy need to break local name resolution you can specify some unreachable server:port or block local request via pf (better be careful)

fichtner commented 4 months ago

Possibly we could avoid setting this if both dns from ISP and local resolving are refused requiring to add explicit servers but there are more scenarious where this breaks (ISP not sending you any) and it's the first time anyone cared and it's probably better to not let a DNS listen on 127.0.0.1 then...

0xShkk commented 4 months ago

Yea actually it works as designed...

However I was confused by the gui settings. Maybe you could add a floating message or similar when the checkbox is checked and no nameservers are set to make aware of FreeBSD name resolution logic.

In my scenario, I think I will reconfigure dnscrypt proxy to not be the system DNS by let it listen on something different than 53 and then Port fwd the clients to it in the nets where they need access.

Thanks for your kind support. This can be closed from my side.