"leaky" DNS troubles (non-port 53)

Hey everyone! I’m having some trouble with (apparently) my setup of Adam:one. I don’t think it matters but it’s running on Netgate 2100. I do not have DTTS as I’m not at that service level.

My problem could be due to either misconfiguration or misunderstand, so please pardon me either way.

My trouble is this–everything seems to work perfectly when endpoints query the router directly, or tries any DNS server on port 53. So I think I have I have NAT properly configured. But I have had to manually block service-by-service things like NextDNS, Cloudflare, etc that offers DoT (by port) and/or DoH (using alias for domain names). All type 65 queries forward to the default resolver (according to the logs; haven’t checked).

Is this expected behavior, or am I missing something? I haven’t used the product in awhile while I didn’t have a network like this to support, but I swear this isn’t how it worked before.

Anyway, many thanks!

-Doug

(Technical Features of adam:ONE (v4) anmuscle)
(About DNS Resource Record type 65 (SVCB HTTPS))

Hi @Douglas_C welcome to the forum.
Try running the command adamone-setup configure from the console (SSH) and if you select the option for it to generate firewall rules for you, it will create rules to block DNS traffic from bypassing the router.

These rules are not generated automatically on install and require running that command, as sometimes networks admins prefer to manage all the rules manually.

Already did this at installation time (followed Install adam:ONE® (v4+) on pfSense®).

Below are relevant pass and block rules, modified from the instructions to get things working. I have allow lan to any enabled because, without it, everything gets blocked by the default block ipv4 rule (this is against what the instructions above say to do). I added the two block rules rules for 853.

Your thoughts?

This one is probably the culprit:

Try disabling it.

Unfortunately, as I mentioned in my last post, disabling this rule results in anything not explicitly allowed with a Pass rule (basically everything on the Internet) to be blocked by the default IPv4 Deny rule:

@8 block drop in log inet all label “Default deny rule IPv4” ridentifier 1000000103”

Your clients/devices should be using your pfsense gateway where adam:one is installed as their gateway and DNS, otherwise any can connect to the internet however they want.

Naturally. I have things configured this way-- I do have a forwarding list configured for Active Directory, but the DNS is configured to forward to the gateway (with Adam:one), can be seen in the image set below.
I followed instructions at (Active Directory Configuration).
It seems my problem has been experience by others (After Adam:One setup, all outbound access is blocked), but the solutions there (restart) didn’t work; disable Resolver (done already).

suggestions? is there a log that I should look at? I do not mind getting my hands dirty!

You should make adam:one as the first DNS for the clients.

The forwarding rule from adam:one dashboard to your AD should handle the resolution for all AD related domains. The rest of the traffic should be handled by adam:one, except for traffic you don’t want adam:one to handle via enablers or firewall rules (in pfsense).

The Adam:One tech guys are second to none, they may be of great help too when they reply. :slight_smile:

I do appreciate your help, edanpedragosa.

As I’ve tired to express, that is the setup I have (DNS set as gateway/adam:one). No matter which DNS provider I specify (including adam:one directly), it’s easily bypassed by any method, including DNS over HTTPS included in most modern browsers.

Here is sockstat for anmuscle

Here is a shot of the logs, showing just some examples of type 65 queries passing; but as I say, DoH and DoT are also offenders.

and finally, a shot of my DHCP server config

For more information on the HTTPS queries take a look at About DNS Resource Record type 65 (SVCB HTTPS)

To protect against DoT and DoH bypass we currently rely on DTTS which blocks all unknown IP connections.
You could create a rule to block destination UDP 853 from LAN to prevent DoT bypass. But for DoH you’d have to blacklist the popular services.
We have a shared blacklist for popular DoH providers here My Dashboard that you could subscribe to and enable on your policy.

Exactly what I needed. Thanks!

Just now trying to implement this list. Getting an error: “An error occurred while subscribing to the list. You may already be subscribed.”
I double-checked my subscriptions, and I am not subscribed.

Your thoughts, atw (Profile - atw - ADAMnetworks)?

Hi there, D.
We have a solution for DoH that currently is offered through our MSS (Managed Services), but we are in the process of changing that to make it accessible to all adam:ONE® users. Watch this space.

Hi again, D
We now have a public available rule you can subscribe to. You will find it here: Block access to DoH Rule Subscription

Happy protecting. :slight_smile:

1 Like

Thank you! This is the solution I was looking for. I couldn’t justify $500/month for my small (yet enterprise-style) network. Also, the promised rollout of the new subscription structure has been, well, slow as molasses. :grin: Looking forward to see what it will hold, though