DNS (UNBOUND) + PF ISSUE

Wed, 29 Aug 2018 02:57:53 -0700 

*Hi all,*

*Its my first topic here =)
*

*Please help me investigate DNS+PF issue. **
*

*I have 2 VM on OpenBSD 6.3:*

*    VM#1 - Router with PF, IP:192.168.50.1*

*    VM#2 - DNS (as unbound), IP:192.168.50.2**
*

*here is my pf.conf on VM#1:*

    int_if="{ vether0 re0 }"
    set block-policy drop
    set loginterface egress
    set skip on lo0
    match in all scrub (no-df random-id max-mss 1440)
    match out on egress inet from !(egress:network) to any nat-to (egress:0) 
    pass out quick inet
    pass in on $int_if inet
    pass in on egress inet proto { tcp, udp } from any to (egress) port 53 rdr-to 192.168.50.2 

*I try to check how my Unbound DNS VM#2 working: *

*# dig @192.168.50.1 google.com*

    ; <<>> DiG 9.4.2-P2 <<>> @192.168.50.1 google.com
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2704
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;google.com.                    IN      A

    ;; ANSWER SECTION:
    google.com.             299     IN      A 172.217.21.110

    ;; Query time: 35 msec
    ;; SERVER: 192.168.50.1#53(192.168.178.100)
    ;; WHEN: Wed Aug 29 11:35:57 2018
    ;; MSG SIZE  rcvd: 44

*Looks good. But if I try to do it out of my local net ... with:*

*# dig @external_IP google.com*

    ; <<>> DiG 9.4.2-P2 <<>> @external_IP google.com
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24861
    ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available <<<   <<<   <<< ???

    ;; SERVER: external_IP#53
    ;; WHEN: Wed Aug 29 11:30:50 2018
    ;; MSG SIZE  rcvd: 12

*I think that my PF config is wrong. Please help to investigate my issue.*

*P.S: unbound.conf is here ...*

server:
        # interface: 188.192.103.156
        interface: 192.168.50.1
        interface: 127.0.0.1
        interface: ::1
        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: ::0/0 refuse
        access-control: ::1 allow
        access-control: 192.168.1.0/24 allow
        access-control: 192.168.50.0/24 allow
        access-control: 192.168.178.0/24 allow
        do-not-query-localhost: no
        hide-identity: yes
        hide-version: yes
        port: 53

remote-control:
        control-enable: yes
        control-use-cert: no
        control-interface: /var/run/unbound.sock

forward-zone:
        name: "."
        forward-addr: 192.168.178.1 # fritz.box
        forward-addr: 8.8.8.8 # google.com
        forward-addr: 2001:4860:4860::8888 # google.com v6
        forward-first: yes # try direct if forwarder fails

Sorry for my English,

BR

deface

Reply via email to