Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX

No worries. I have a few sites blocked. Might be something on my end. I’m working through it. I am however having a problem where you put the basic rules into OPNsense for pi hole… any idea where those are? Im trying to fix mine…

Think I got it but have to wait for wife to get home.

Also my phone is no longer receiving calls via wifi instead of 4G… Im looking into it now.

2 Likes

Yeah something has to be amiss on my end… Something has changed with my Unbound server… the number of CNAME’s available using DIG or DELV has changed recently… I started looking at this because since I did the updates a week or so ago including, the new DNS list for pihole, I started to get errors like this on my wife’s devices and mine (Cell phone calls dropped and services hanging or not working at all-IE Texts and images sent)-

2022-04-25 10:47:51 A iphone-ld.origin-apple.com.akadns.net SamanthasiPhone.HSSTnet Blocked (external, NULL) IP (2.5ms)

The Blocked (external, NULL) was the only thing blocked by pihole. Turns out it was the upstream server (IE- Unbound) throwing that error back at Pi-hole. This means my previous conclusion that using DNSmasq on OPNsense Firewall was disabling the ability to filter pihole add lists by clients. That option on pihole is working fine. I just updated my root list for unbound but the number of CNAME records was the same as before (but not like the FIRST time I did it.

Heres a comparison of delv to check recursive resolver via unbound on the local device-

First Time (Initial Install)

**delv** [ **@127** ](http://twitter.com/127) **.0.0.1 -p 50053 internetsociety.org A +rtrace +multiline**

;; fetch: internetsociety.org/A
;; fetch: internetsociety.org/DNSKEY
;; fetch: internetsociety.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
internetsociety.org.    300 IN A 104.18.16.166
internetsociety.org.    300 IN A 104.18.17.166
internetsociety.org.    300 IN RRSIG A 13 2 300 (
          20210418094324 20210416074324 34505 internetsociety.org.                
          vSNyWVP0EivHHRAyiqvwJqV+5N2FgUlrBq++xzsmdafn
          4zhz4CGuIBWbljDSxD2bmJYDFxfHOtR9QDX9YEHc2Q== )
Current state

delv @127.0.0.1 -p 50053 internetsociety.org A +rtrace +multiline

;; fetch: internetsociety.org/A
;; fetch: internetsociety.org/DNSKEY
;; fetch: internetsociety.org/DS
;; fetch: org/DNSKEY
;; fetch: org/DS
;; fetch: ./DNSKEY
; fully validated
internetsociety.org.    30 IN A 104.18.16.166
internetsociety.org.    30 IN A 104.18.17.166
internetsociety.org.    30 IN RRSIG A 13 2 300 (
                                20220427171934 20220425151934 34505 internetsociety.org.
                                QRBk5o15H7JrPu39j3U0cRMAVlV76aCUcjh9ZziKlDSk
                                8adBwoFU/iyeOAvZVPtS39zAdteZ/iQw5LOQG0W2Dw== )

It looks like the number of reference records dropped from 300 to 30!
Is this something to worry about? I dunno it’s just something I noticed as different.
I’m (for shits and giggles) going to revert pihole and reset the clients lists to see what happens at home. It may be just too strict a list. I was able to fix my phone…

Never mind I’m still left with why the wife’s phone would still be messing up if I can see the query log isn’t forcing the phone to use the pihole filters and is only populating errors with Blocked (external, NULL)

I just refreshed my root.hints file using
wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints
the restarted the unbound service. See if I keep getting the NULL errors. I only have unbound as my piholes only upstream DNS.

Anyone have ideas? It is Verizon service…wondering if they still have some bugs they are fixing from their server crash a few days ago.

2 Likes

well I cant tell you much off that because mine is fine

kdig -d @utangard.net internetsociety.org +dnssec +opt +tls +stats +all +multiline +authority +answer +adflag +qr +opttext +header
;; DEBUG: Querying for owner(internetsociety.org.), class(1), type(1), server(utangard.net), port(853), protocol(TCP)
;; TLS session (TLS1.3)-(ECDHE-SECP521R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46397
;; Flags: rd ad; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 76 B

;; QUESTION SECTION:
;; internetsociety.org.	 IN A

;; Sent 128 B
;; Time 2022-04-26 12:35:59 MDT
;; To 2600:3c04::f03c:92ff:fec6:[email protected](TCP) in 179.8 ms

;; TLS session (TLS1.3)-(ECDHE-SECP521R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 46397
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; internetsociety.org.	 IN A

;; ANSWER SECTION:
internetsociety.org.	285 IN A 104.18.17.166
internetsociety.org.	285 IN A 104.18.16.166
internetsociety.org.	285 IN RRSIG A 13 2 300 20220427193516 (
				20220425173516 34505 internetsociety.org. 
				2629Ht8SikvBOaK97H7ge7DuSho/amPyHZTLrS7P
				8/Tqzi3xYO8BEkNYqk4Fa2ajnL3vftULaRX1ko4q
				L7Mv0g==
				)

;; Received 195 B
;; Time 2022-04-26 12:35:59 MDT
;; From 2600:3c04::f03c:92ff:fec6:[email protected](TCP) in 114.6 ms

So what I am thinking here is its one of two things

  1. Iphone points itself at apple DNS on akdns
  2. Something in how you have structured the chain of your lookups might not be good. As in configured improperly. Where is the unbound in relation to the pihole

Just saw this dont know how I missed it…lol

It seems to be workingish with the old list. I haven’t had much time to trouble shoot because wife has been taking off work… frustrating…

I have unbound running on pihole. So Pihole points to 127.0.0.1:xxxx for internal port.

unbound config looks like this

Config
# include additional configuration files (query data minimization for privacy and DNSSEC for security purposes)
# qname-minimisation.conf adds to server section
#   qname-minimisation: yes
# root-auto-trust-anchor-file.conf adds
#   auto-trust-anchor-file: "/var/lib/unbound/root.key"
include: "/etc/unbound/unbound.conf.d/*.conf"
server:
	verbosity: 0
	statistics-cumulative: yes
	# RPi3 has a quad-core CPU, so let's enable 4 threads
	num-threads: 4
	# Listen on port 50053 on every interface
	interface: [email protected]
	# Can enable faster resolutions in multithreaded configuration
	so-reuseport: yes
	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow
	access-control: ::ffff:127.0.0.1 allow
	# Allow queries from local lan (useful for testing, but can be 
	# omitted if queries will come only from Pi-hole running on the
	# same host
	access-control: 192.168.0.0/24 allow
	root-hints: "root.hints"
	private-address: 192.168.0.0/24
	private-domain: "your_local_domain"
	# Enable prefetching of cache elements that are queried when the
	# remaining life is less than 10% of the original TTL
	prefetch: yes

	domain-insecure: "your_local_domain"
	# Enable serving expired cache entries for at most 1-hour if 
	# it is impossible to refresh them
	serve-expired: yes
	serve-expired-ttl: 3600
	# Enable reverse resolution of local DNS names 
	local-zone: "0.168.192.in-addr.arpa." nodefault
	unblock-lan-zones: no
	insecure-lan-zones: no

python:
remote-control:
	# This can be used for querying Unbound about its internal statistics
	control-enable: yes
	control-interface: 0.0.0.0
	control-port: 8953
	# In my case, I have forward and reverse resolution for my home domain
	# setup on my router 192.168.0.254, so I want to forward local resolutions'
	# queries to it
forward-zone:
	name: "your_local_domain"
	forward-addr: 192.168.0.254
forward-zone:
	name: "0.168.192.in-addr.arpa"
	forward-addr: 192.168.0.254

AND I also thing I grabbed the wrong list lol

I had used this blindly… I’ll have to put in my network specifics… I think this is causing me issues… I’m sorry man. I’m still a noob. lol Now that I have better knowledge I think I may be able to fix it. :slight_smile: Thanks to your and @Biky’s tutelage. Thank you both again.

1 Like

@here
Mentioning me in a comment not really related, for some free upcummies. Not a bad strategy, I must say.

2 Likes

Well you did help me with firewall and to understand some more dns useage and how it functions. :slight_smile:

1 Like

You havent seen the lounge huh :troll:

2 Likes

I did and I ignored it
:rofl:

1 Like

we were honestly having too much fun with it

we were like

@Biky@Biky@Biky@Biky@Biky@Biky@Biky@Biky@Biky@Biky@Biky@Biky

:rofl: :sob:

2 Likes

Sorry I will attempt to refrain

1 Like

I do not condone this appeasement :joy:

1 Like

lol So I checked my lists… something was messed up or not clearing on my end when I tried your list…

Mine looked like this:

Processed adlist (351 entries)
Processed adlist group assignments (351 entries)
Processed blacklist (exact) (30 entries)
Processed blacklist (regex) (55 entries)
Processed black-/whitelist group assignments (15481 entries)
Processed whitelist (exact) (15384 entries)
Processed whitelist (regex) (12 entries)
OK

  [✓] Creating new gravity databases
  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [✓] The old database remains available.
  [i] Number of gravity domains: 15509940 (6359632 unique domains)
  [i] Number of exact blacklisted domains: 43
  [i] Number of regex blacklist filters: 54
  [i] Number of exact whitelisted domains: 15412
  [i] Number of regex whitelist filters: 11
  [✓] Cleaning up stray matter

  [✓] FTL is listening on port 53
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

SO it had a few MORE than yours and I couldnt clear it…spending today learning to clear it and restore defaults.

I need to look back at your blocking all russian DNS’s.

Im honestly slammed at work … its been hard for me to even pay attention to my posts outside some lounge fun

fairly simple to do

1 Like

Yeah no worries I’m not asking I know its here somewhere lol I can search it :slight_smile:

1 Like

I never did get DoT to work. It works via lan, but not remotely.

linode

[Interface]
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 1990
PrivateKey = 

[Peer]
PublicKey = 
AllowedIPs = 10.0.0.2/32
Endpoint = ip:1990
PersistentKeepalive = 25

Pihole

[Interface]
Address = 10.0.0.2/24
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 1990
PrivateKey = 

[Peer]
PublicKey = 
AllowedIPs = 10.0.0.1/32
Endpoint = ip:1990
PersistentKeepalive = 25

nginx


    # DNS upstream pool
upstream dns {
 zone dns 64k;
 server 10.0.0.2:53;

}

   # DoT server for decryption
server {
listen 853 ssl;

    ssl_certificate /etc/letsencrypt/live/mysite.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mysite.com-0001/privkey.pem; # managed by Cert$

proxy_pass dns;
    }

And yes I allowed 853 through on linode nginx side.

What is wrong with this setup?

1 Like

let me grab my configs and we can start comparing okay?

1 Like

perfecto

1 Like

lets see here

❯ cat stream.d/00-dnsTLS.conf
   # DoT server for decryption
server {
   access_log /var/log/nginx/dnsOverTLS-querylog proxy;
   listen 853 ssl;
   listen [::]:853 ssl;
   proxy_pass 10.31.85.1:19253;
   proxy_connect_timeout   30s;
   preread_timeout         50s;
   ssl_session_tickets on;
   ssl_session_timeout   4h;
   ssl_handshake_timeout 30s;
}
# Reg DNS
server {
   access_log /var/log/nginx/dns-querylog proxy;
   listen 53;
   listen 53 udp;
   listen [::]:53;
   listen [::]:53 udp;
   proxy_pass 10.31.85.1:19253;
   proxy_connect_timeout   30s;
   preread_timeout         50s;
   ssl_session_tickets on;
   ssl_session_timeout   4h;
   ssl_handshake_timeout 30s;
}

Main stream config

## STREAM BLOCK
stream {
    log_format proxy '$remote_addr [$time_local] '
       '$protocol $status $bytes_sent $bytes_received '
       '$session_time "$upstream_addr" '
       '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
    include /etc/nginx/stream.d/*.conf;
    error_log off;
    access_log /var/log/nginx/streamLog proxy buffer=256k;
    ssl_certificate         /etc/nginx/ssl/utangard/cert.crt;
    ssl_certificate_key     /etc/nginx/ssl/utangard/privkey.key;
    ssl_dhparam             /etc/nginx/ssl/utangard/dhparam.pem;
    ssl_trusted_certificate /etc/nginx/ssl/utangard/cert.crt;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers         !AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp521r1:secp384r1;
    access_log off;
...
}
1 Like

So could you dump your firewall rules on all relevant machines?

1 Like

Is UDP 53 open on this?

Can you do normal DNS externally?

1 Like