Having a in-home unbound server for dns queries, I'd like to block queries to other dns nameservers.
Take the example of the 8.8.8.8 server.
re0 is the network interface that connects to the router, also a FreeBSD box running a dns server.
re0 is part of bridge10 as for vnet jails to have access to the Internet.
The output
The rules in the /etc/pf.conf file list as:
I was expecting not being able to use the 8.8.8.8 nameserver, but it's still possible.
What is wrong with my setup, how to be able to block queries to a nameserver?
Take the example of the 8.8.8.8 server.
re0 is the network interface that connects to the router, also a FreeBSD box running a dns server.
re0 is part of bridge10 as for vnet jails to have access to the Internet.
The output
Code:
# ifconfig -a
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether d4:5d:5d:5d:5d:5d
inet 192.168.1.30 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
bridge10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: qjail_vnet_jail_only_bridge
ether 58:9c:9c:9c:9c:9c
inet 192.168.3.2 netmask 0xffffff00 broadcast 192.168.3.255
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000
groups: bridge
nd6 options=9<PERFORMNUD,IFDISABLED>
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: qjail_vnet_jail_xbrowser
options=8<VLAN_MTU>
ether 02:25:25:25:25:25
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>The rules in the /etc/pf.conf file list as:
Code:
# pfctl -s rules
scrub in all fragment reassemble
scrub out on re0 all random-id fragment reassemble
block drop in quick on ! re0 inet from 192.168.1.0/24 to any
block drop in quick inet from 192.168.1.30 to any
block drop in on re0 all
block return in log all
block drop out quick on re0 inet proto udp from any to 8.8.8.8 port = domain
block drop out quick on re0 inet proto tcp from any to 8.8.8.8 port = domain
pass out all flags S/SA keep state
pass out on re0 proto tcp from any to any port = ssh flags S/SA keep state queue(high, ssh)
block drop in log quick on re0 inet from <__automatic_6e8edf3f_0> to any
block drop out log quick on re0 inet from any to <__automatic_6e8edf3f_1>
pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach keep stateI was expecting not being able to use the 8.8.8.8 nameserver, but it's still possible.
Code:
# drill +short google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 344
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 39 IN A 216.58.215.142
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 17 msec
;; SERVER: 8.8.8.8What is wrong with my setup, how to be able to block queries to a nameserver?
