Using fqdn domain lists for blocking with OPNsense

Reto Haeberli's photo
Reto Haeberli
·Jun 28, 2022·

1 min read

Using fqdn domain lists for blocking with OPNsense

Photo by sebastiaan stam on Unsplash

Subscribe to our newsletter and never miss any upcoming articles

Play this article

Recently I observed that many of my IoT devices and mobile applications try to use 3rd party DNS and bypass my local DNS. I counteracted this with a NAT rule that redirects port 53 to my local DNS server.

But what about DNS over https. Using a IP blocklist is not ideal since the underlying IPs may change. Using a fully qualified domain name list would be much more flexible.

While it is not officially stated it is in fact possible to use fqdn lists such as this one with OPNsense by just using the URL Table (IPs) type for an alias in OPNsense.

Screenshot 2022-06-28 at 21.52.09.png

We can verify that it works in the Firewall -> Diagnostics -> Aliases section, where we see that the fqdns get resolved into IPs.

Screenshot 2022-06-28 at 22.06.20.png

What a nice undocumented feature which can of course be used for many other use cases. 😎

While it's less bullet proof than using suricata or other L7 features it doesn't come with the performance penalties of such tools and is more reliable than pure DNS based blocking.

 
Share this