OpenBSD PF and OpenDNS

At home, I needed a way to prevent anything but OpenDNS from being used for DNS, and needed a rule that would do it in OpenBSD PF.

Install and Configure

First off, to setup an OpenDNS client on OpenBSD, install the ddclient package via pkg_add ddclient

You should get an output like so:

bzrtr# pkg_add ddclient

quirks-3.183 signed on 2020-01-31T18:21:51Z
quirks-3.124->3.183: ok
ddclient-3.8.3p1:p5-Net-SSLeay-1.88: ok
ddclient-3.8.3p1:p5-IO-Socket-SSL-2.066: ok
ddclient-3.8.3p1:p5-Digest-SHA1-2.13p4: ok
ddclient-3.8.3p1: ok
Read shared items: ok
The following new rcscripts were installed: /etc/rc.d/ddclient
See rcctl(8) for details.

Append the recommended settings from the vendor:

##
## OpenDNS.com account-configuration
##
protocol=dyndns2
use=web, web=myip.dnsomatic.com
ssl=yes
server=updates.opendns.com
login=opendns_username
password=‘opendns_password’
opendns_network_label

Test

Test the new configuration by running:

ddclient -daemon=0 -debug -verbose -noquiet

Fix it if there are errors.

Add to startup

/var/log/messages was showing an error:

Jan 31 16:23:59 bzrtr ddclient[72430]: WARNING:  file /var/db/ddclient/ddclient.cache: Cannot open file '/var/db/ddclient/ddclient.cache'. (Permission denied)
Jan 31 16:23:59 bzrtr ddclient[72430]: FATAL:    Cannot create file '/var/db/ddclient/ddclient.cache'. (Permission denied)

To fix it, I had to chown -R _ddclient:wheel /var/db/ddclient/

Then rcctl restart ddclient

Configure OpenBSD PF

If you haven’t used OpenBSD pf, it is the default firewall on OpenBSD, and is amazing!

The ruleset boils down to the few lines:

table <opendns> { 208.67.222.222 208.67.220.220 }
block drop quick on egress proto { tcp udp } from any to !<opendns> port = 53

Of course this doesn’t help with DNS over HTTP—D’oh!