OpenBSD pf - redirect all DNS queries to local DNS server

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD pf - redirect all DNS queries to local DNS server

lu hu
Our little home network:

ISP -> ROUTER -> SWITCH -> WIFI APs -> CLIENTS

ROUTER: OpenBSD 6.5, giving DHCP+fwing internet to the WIFI APs. Based on https://www.openbsd.org/faq/pf/example1.html#pf and https://www.openbsd.org/faq/pf/example1.html#dhcp

CLIENTS: laptops, smartphones.

So everything is going through the ROUTER.

We can see a https://www.openbsd.org/faq/pf/example1.html#dns DOC for how to setup a DNS server, ~ok.

AD filtering. We would like to have one, but not a fancy one, just a working one.

Based on "bad hosts", ex.: if a client queries iamAD.foo, then answer it back as 127.0.0.1, so the clients will try to connect to themselfes, which will end up not showing the AD.

The big question: Is there any DOC for OpenBSD about this? What pf rules needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to the DNS server running on the ROUTER, coming from the CLIENTS?

So ex.: if a smartphone CLIENT wants to query iamAD.foo domain to get ADs, it will only get back 127.0.0.1

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD pf - redirect all DNS queries to local DNS server

jin&hitman&Barracuda
Sorry for top posting.

Looks like you need an ip address lists which is updated dynamically. But
this method is not like what you described here. It doesn't response back
an IP address but it does block requests which is trying to get those
ad.servers. if you wish you can choose action to "reject" instead of
"drop". I choose to reject requests because of we just have two devices at
home network.

There are couple of sites which shares ad server names and ip addresses as
a list and they update those lists. As described in below link, you can use
a script to stop traffic which you don't want to have. Basically the script
updates 'source of bad ad server list' periodically and feed your pf rules.

https://www.geoghegan.ca/pfbadhost.html

On Tue, Dec 17, 2019, 23:57 lu hu <[hidden email]> wrote:

> Our little home network:
>
> ISP -> ROUTER -> SWITCH -> WIFI APs -> CLIENTS
>
> ROUTER: OpenBSD 6.5, giving DHCP+fwing internet to the WIFI APs. Based on
> https://www.openbsd.org/faq/pf/example1.html#pf and
> https://www.openbsd.org/faq/pf/example1.html#dhcp
>
> CLIENTS: laptops, smartphones.
>
> So everything is going through the ROUTER.
>
> We can see a https://www.openbsd.org/faq/pf/example1.html#dns DOC for how
> to setup a DNS server, ~ok.
>
> AD filtering. We would like to have one, but not a fancy one, just a
> working one.
>
> Based on "bad hosts", ex.: if a client queries iamAD.foo, then answer it
> back as 127.0.0.1, so the clients will try to connect to themselfes, which
> will end up not showing the AD.
>
> The big question: Is there any DOC for OpenBSD about this? What pf rules
> needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to the
> DNS server running on the ROUTER, coming from the CLIENTS?
>
> So ex.: if a smartphone CLIENT wants to query iamAD.foo domain to get ADs,
> it will only get back 127.0.0.1
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD pf - redirect all DNS queries to local DNS server

Jordan Geoghegan-3


On 2019-12-17 13:24, jin&hitman&Barracuda wrote:

> Sorry for top posting.
>
> Looks like you need an ip address lists which is updated dynamically. But
> this method is not like what you described here. It doesn't response back
> an IP address but it does block requests which is trying to get those
> ad.servers. if you wish you can choose action to "reject" instead of
> "drop". I choose to reject requests because of we just have two devices at
> home network.
>
> There are couple of sites which shares ad server names and ip addresses as
> a list and they update those lists. As described in below link, you can use
> a script to stop traffic which you don't want to have. Basically the script
> updates 'source of bad ad server list' periodically and feed your pf rules.
>
> https://www.geoghegan.ca/pfbadhost.html
>
> On Tue, Dec 17, 2019, 23:57 lu hu <[hidden email]> wrote:
>
>> Our little home network:
>>
>> ISP -> ROUTER -> SWITCH -> WIFI APs -> CLIENTS
>>
>> ROUTER: OpenBSD 6.5, giving DHCP+fwing internet to the WIFI APs. Based on
>> https://www.openbsd.org/faq/pf/example1.html#pf and
>> https://www.openbsd.org/faq/pf/example1.html#dhcp
>>
>> CLIENTS: laptops, smartphones.
>>
>> So everything is going through the ROUTER.
>>
>> We can see a https://www.openbsd.org/faq/pf/example1.html#dns DOC for how
>> to setup a DNS server, ~ok.
>>
>> AD filtering. We would like to have one, but not a fancy one, just a
>> working one.
>>
>> Based on "bad hosts", ex.: if a client queries iamAD.foo, then answer it
>> back as 127.0.0.1, so the clients will try to connect to themselfes, which
>> will end up not showing the AD.
>>
>> The big question: Is there any DOC for OpenBSD about this? What pf rules
>> needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to the
>> DNS server running on the ROUTER, coming from the CLIENTS?
>>
>> So ex.: if a smartphone CLIENT wants to query iamAD.foo domain to get ADs,
>> it will only get back 127.0.0.1
>>
>>
>>

Hey, I'm the author of that script. If you're looking to block ads via
DNS, geoghegan.ca/unbound-adblock.html may be what you're looking for.

It pulls a popular ad server blocklist and makes unbound return NXDOMAIN
when a device tries to query a known ad server. Certain devices have
issues when redirecting their querys to 127.0.0.1 or 0.0.0.0, and some
devices may waste time retrying queries for a long period of time.
Setting static redirects to a particular address causes unbound to eat
up a ton of memory, wheras returning NXDomain uses almost no memory.

Cheers,

Jordan

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD pf - redirect all DNS queries to local DNS server

Bodie-3
In reply to this post by lu hu


On 17.12.2019 21:55, lu hu wrote:

> Our little home network:
>
> ISP -> ROUTER -> SWITCH -> WIFI APs -> CLIENTS
>
> ROUTER: OpenBSD 6.5, giving DHCP+fwing internet to the WIFI APs. Based
> on https://www.openbsd.org/faq/pf/example1.html#pf and
> https://www.openbsd.org/faq/pf/example1.html#dhcp
>
> CLIENTS: laptops, smartphones.
>
> So everything is going through the ROUTER.
>
> We can see a https://www.openbsd.org/faq/pf/example1.html#dns DOC for
> how to setup a DNS server, ~ok.
>
> AD filtering. We would like to have one, but not a fancy one, just a
> working one.
>
> Based on "bad hosts", ex.: if a client queries iamAD.foo, then answer
> it back as 127.0.0.1, so the clients will try to connect to
> themselfes, which will end up not showing the AD.
>
> The big question: Is there any DOC for OpenBSD about this? What pf
> rules needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1)
> requests to the DNS server running on the ROUTER, coming from the
> CLIENTS?

https://man.openbsd.org/unwind
https://man.openbsd.org/unbound

and maybe something similar to http://openports.se/net/adsuck ?


>
> So ex.: if a smartphone CLIENT wants to query iamAD.foo domain to get
> ADs, it will only get back 127.0.0.1

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD pf - redirect all DNS queries to local DNS server

slackwaree
In reply to this post by lu hu
Use DNSmasque. Use OpenDNS for forwarding to take care of lot of crapware.


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, December 17, 2019 9:55 PM, lu hu <[hidden email]> wrote:

> Our little home network:
>
> ISP -> ROUTER -> SWITCH -> WIFI APs -> CLIENTS
>
> ROUTER: OpenBSD 6.5, giving DHCP+fwing internet to the WIFI APs. Based onhttps://www.openbsd.org/faq/pf/example1.html#pf and https://www.openbsd.org/faq/pf/example1.html#dhcp
>
> CLIENTS: laptops, smartphones.
>
> So everything is going through the ROUTER.
>
> We can see a https://www.openbsd.org/faq/pf/example1.html#dns DOC for how to setup a DNS server, ~ok.
>
> AD filtering. We would like to have one, but not a fancy one, just a working one.
>
> Based on "bad hosts", ex.: if a client queries iamAD.foo, then answer it back as 127.0.0.1, so the clients will try to connect to themselfes, which will end up not showing the AD.
>
> The big question: Is there any DOC for OpenBSD about this? What pf rules needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to the DNS server running on the ROUTER, coming from the CLIENTS?
>
> So ex.: if a smartphone CLIENT wants to query iamAD.foo domain to get ADs, it will only get back 127.0.0.1


Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD pf - redirect all DNS queries to local DNS server

Anthony O' Brien
In reply to this post by lu hu
Long time reader, first time writing in...

> The big question: Is there any DOC for OpenBSD about this? What pf rules
> needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to
the
> DNS server running on the ROUTER, coming from the CLIENTS?

You can use rdr-to[0] with pf to redirect all DNS queries to the DNS
resolver running on the router. A rule in pf.conf would look something like:

    pass in on $int_if proto { udp , tcp } from any to any port domain \
      rdr-to $dns_server port domain

Ted Unangst has short write-up about turning your network inside out to do
just this[1].

[0]: https://man.openbsd.org/pf.conf.5#rdr-to
[1]:
https://flak.tedunangst.com/post/turn-your-network-inside-out-with-one-pfconf-trick
Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD pf - redirect all DNS queries to local DNS server

Stuart Henderson
On 2019-12-19, Anthony O' Brien <[hidden email]> wrote:

> Long time reader, first time writing in...
>
>> The big question: Is there any DOC for OpenBSD about this? What pf rules
>> needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to
> the
>> DNS server running on the ROUTER, coming from the CLIENTS?
>
> You can use rdr-to[0] with pf to redirect all DNS queries to the DNS
> resolver running on the router. A rule in pf.conf would look something like:
>
>     pass in on $int_if proto { udp , tcp } from any to any port domain \
>       rdr-to $dns_server port domain
>
> Ted Unangst has short write-up about turning your network inside out to do
> just this[1].
>
> [0]: https://man.openbsd.org/pf.conf.5#rdr-to
> [1]:
> https://flak.tedunangst.com/post/turn-your-network-inside-out-with-one-pfconf-trick
>

Just remember what you've done - if you ever try to troubleshoot a
broken nameserver or something while using this connection the hijacking
might cause some confusion!


Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD pf - redirect all DNS queries to local DNS server

lu hu
In reply to this post by Anthony O' Brien
rdr-to works perfectly! my hair is droppng off from the speed, without
ADs :) Many thanks. Wishing a great year-end for everybody!! Sent: Thursday,
December 19, 2019 at 8:50 PM
From: "Anthony O' Brien" <[hidden email]>
To: "lu hu" <[hidden email]>
Cc: [hidden email]
Subject: Re: OpenBSD pf - redirect all DNS queries to local DNS server
Long time reader, first time writing in... > The big question: Is there
any DOC for OpenBSD about this? What pf rules > needed to redirect any
DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to the > DNS server running
on the ROUTER, coming from the CLIENTS?
You can use rdr-to[0] with pf to redirect all DNS queries to the DNS
resolver running on the router. A rule in pf.conf would look something
like:

pass in on $int_if proto { udp , tcp } from any to any port domain \
rdr-to $dns_server port domain

Ted Unangst has short write-up about turning your network inside out to
do
just this[1].

[0]: https://man.openbsd.org/pf.conf.5#rdr-to
[1]:
https://flak.tedunangst.com/post/turn-your-network-inside-out-with-one-pfconf-trick