DNS Security and Adblock with OPNSense, Part 2

ADBLOCKING

Now that we’ve secured our DNS, we can move on to improving the quality of our experience on the internet by configuring DNS ad blocking. With the 20.7 version of OPNSense it’s quite easy. Simply go to Services -> Unbound DNS -> Blacklist. Click Enable and select one or more items from the DNSBL drop down. Or if you prefer, paste the URLs of your preferred list in the URLs field. I prefer the Stephen Black list as it is composed of multiple lists and is also the default list for the Pi Hole. Click Save and you’re done.

ADBLOCK LIST UPDATE

Now that we’ve configured the block list, we want to make sure that it updates when new domains are found. This doesn’t happen automatically when you configure it but is easy to add. Go to System -> Settings -> Cron. Once there you’ll click on the + button and create a new job. The default options are fine and will update the block list daily at midnight. Select “Download Unbound DNSBLs and restart” from the Command list and provide a descriptive comment in the Description field. There may be two items with the same name in the Command field. Either one should work but you should check back after each update to ensure it’s correctly configured once the bug is fixed. If you wish to investigate further, you will want to look at /var/cron/tabs/nobody and you should see /usr/local/sbin/configctl unbound dnsbl

DNS LOCKDOWN

Now that we’ve configured our DNS to block malware and ads, we’re all set, right? Because anyone on the network can configure their device to use a different DNS and they will completely bypass all of the work that we’ve done. Roku, for example, comes configured to use Google DNS in addition to that provided by DHCP. Firefox defaults to a DoH setup.

Now we have two choices. We can either redirect all DNS queries to our server or we can simply block all queries except for our server. Since the server hands out a DNS configuration with every DHCP lease, I choose to block the queries. It also makes for easier troubleshooting as you don’t query one server but resolve a different one.

In order to block the servers you’ll need to go to Firewall -> Rules -> Floating. This ensures that you’ll block DNS on all interfaces. Click on the Add button and we’ll configure the rule as follows. Select Block as the Action. Select all appropriate interfaces. Select IPv4+IPv6 for your TCP/IP Version.darkness Select TCP/UDP as the Protocol. Select Invert and This Firewall for your Destination. The Destination port is DNS. Provide an appropriate description and click Save. Once that’s done, click on the Clone button for the rule you just made. Change the Port to 853 and give it an appropriate description. Then click on Apply Changes.

You can easily test the standard DNS block by using nslookup like we tested the original Quad9 setup. However, in order to test the DoT block you will need to install kdig or a similar tool. It is part of the knot-dnsutils package so you will need to install that. Then you can make a DoT call to determine if you are able to connect.

DNS OVER HTTPS LOCKDOWN

Do to the way DoH works it’s not as simple to block. Since it runs over HTTPS you can’t just block 443 as that will block all of the internet. As far as I can tell there isn’t a list of DoH servers available so you will have to handle them manually and determine yourself if it’s worth the effort.

Most DoH connections use standard DNS to bootstrap the connection in order to know which DoH server to use. For example, they will query dns.google.com. Obviously, you can add dns.google.com and other DoH domains to your DNS domain block list and that will cover most cases. However, some DoH servers will accept connections via IP. Which means that in order to stop those you will need to completely block all traffic to the IP.

I’m still contemplating how I want to handle DoH, so please pass along any ideas or suggestions you may have.