On Mon, November 6, 2017 8:50 pm, Scott Bennett wrote:
> I have an APU2 running 6.2, acting as pf NAT gateway, DHCP server, and
> DNS cache (unbound) for my internal LAN.
>
> I've attempted to make all DNS queries redirect to the APU2, as many
> examples have illustrated, so that they can be forwarded to OpenDNS (to
> take advantage of domain filtering). But it seems that it is still
> possible for queries to evade the redirection.
>
> Using dig as a concrete example, if I do the following simple
> query from a client, I get an answer from unbound as expected:
>
> However, if I specify an alternate DNS server, I get a response from
> that server:
>
> $ doas cat /etc/pf.conf
> wired = "{ vether0 em1 em2 }"
> wifi = "athn0"
> wired_ip = "192.168.0.1"
> wifi_ip = "192.168.2.1"
> icmp_types = "{ echoreq, unreach }"
> udp_ports = "{ domain, ntp }"
> tcp_ports = "{ ssh, smtp, domain, www, pop3, auth, http, https, pop3s }"
>
> table <bad_ips> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, \
> 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, \
> 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, \
> 203.0.113.0/24, 224.0.0.0/3 }
> set block-policy drop
> set loginterface egress
> set skip on lo
> match in all scrub (no-df random-id)
> match out on egress set prio (5, 6)
> match in on $wifi set prio (5, 6)
> match proto tcp to port ssh set prio 7
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> antispoof quick for { egress, $wifi }
> block in quick log on egress from <bad_ips> to any
> block return out quick log on egress from any to <bad_ips>
> block in quick on egress from no-route to any
> block in quick on egress inet proto icmp all label "icmp-in"
> block all
> pass quick proto { tcp, udp } to port $udp_ports
Because you're telling pf to pass all taffic on port domain to anywhere.
Quick rules stop evaluation and you never hit the rdr-to rules below.
> pass inet proto icmp icmp-type $icmp_types
> pass out on egress inet proto udp to port 33433:33626
> pass inet proto tcp from $wifi:network to port $tcp_ports modulate state
> pass from { self, $wifi:network } modulate state
> pass in on $wired inet
> # Redirect DNS Queries
> pass in on $wifi proto { udp, tcp } from any to any port domain \
> rdr-to $wifi_ip port domain label "dns-redirect"
> pass in on $wired proto { udp, tcp } from any to any port domain \
> rdr-to $wired_ip port domain label "dns-redirect"
>
What is on your LAN that isn't using your DHCP settings for DNS? Why
redirect instead of just blocking DNS from the LAN to all but unbound?
