FW log flodded with DNS requests
-
Hi,
I have a strange issue with my pfsense. The FW log is flooded periotically with DNS requests, but I cannot find the source.
They are not initiated by my local network, as far as I see, and a packet capture does not show capture it either.
Anyone know where this is coming from?My DNS is set up to use 3 static DNS servers only.
Sep 5 09:45:07 WAN <wan-ip>:46694 122.225.217.193:53 UDP Sep 5 09:45:07 WAN <wan-ip>:30081 220.249.242.11:53 UDP Sep 5 09:45:07 WAN <wan-ip>:29453 182.140.167.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:16871 183.60.57.177:53 UDP Sep 5 09:45:07 WAN <wan-ip>:19369 182.140.167.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:9243 125.39.213.168:53 UDP Sep 5 09:45:07 WAN <wan-ip>:5563 122.225.217.193:53 UDP Sep 5 09:45:07 WAN <wan-ip>:31755 220.249.242.11:53 UDP Sep 5 09:45:07 WAN <wan-ip>:39992 125.39.213.168:53 UDP Sep 5 09:45:07 WAN <wan-ip>:39103 122.225.217.193:53 UDP Sep 5 09:45:07 WAN <wan-ip>:59141 122.225.217.193:53 UDP Sep 5 09:45:07 WAN <wan-ip>:38383 125.39.213.168:53 UDP Sep 5 09:45:07 WAN <wan-ip>:31187 115.236.151.178:53 UDP Sep 5 09:45:07 WAN <wan-ip>:60919 111.30.132.180:53 UDP Sep 5 09:45:07 WAN <wan-ip>:62901 182.140.167.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:45789 115.236.151.178:53 UDP Sep 5 09:45:07 WAN <wan-ip>:33931 180.153.162.151:53 UDP Sep 5 09:45:07 WAN <wan-ip>:11065 180.153.162.151:53 UDP Sep 5 09:45:07 WAN <wan-ip>:32045 180.153.162.151:53 UDP Sep 5 09:45:07 WAN <wan-ip>:31755 180.153.10.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:47522 180.153.10.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:45675 14.215.150.11:53 UDP Sep 5 09:45:07 WAN <wan-ip>:25721 182.140.167.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:18749 182.140.167.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:23751 180.153.10.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:62950 111.30.132.180:53 UDP Sep 5 09:45:07 WAN <wan-ip>:18229 220.249.242.11:53 UDP Sep 5 09:45:07 WAN <wan-ip>:64475 111.30.132.180:53 UDP Sep 5 09:45:07 WAN <wan-ip>:4299 180.153.10.167:53 UDP Sep 5 09:45:07 WAN <wan-ip>:23057 115.236.151.178:53 UDP</wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip>
-
So that sure looks like traffic your sending vs getting.. Src IP:port would be the first entry.. Your logging your outbound pass traffic? Post up the actual log entry screenshot. And set your firewall rule to list the rule.
Also if the traffic is being logged then you could capture it via sniff. So if your saying your not seeing it in sniff then your doing your packet capture on the wrong interface wrong port, etc.. ie your filters are wrong..
As to what you set for dns?? So your using forwarder and not resolver? Resolver would talk to roots, and talk to all kinds of dns server.. You don't have your dns open on your wan do you.. If so you could being used in a dns amplification attack.. Post your wan firewall rules.
-
I am actually using resolver. So this is normal, even if I have added DNS servers in the general tab?
I don't log the allowed traffic. The DNS requests were blocked by a floating rule created by pfblockerNG based on GeoIP.
I created floating rules to log all DNS traffic from my internal networks to the firewall and placed it before the one from pfblocker, but I did not get any requests from LAN at that times.
The sniff i took was from WAN interface and limited to port 53. I did not see the blocked traffic there, but DNS requests to other servers (not configured in the system). DNS is only enabled on my LAN interfaces + localhost.
-
Why would you have dns servers in your general tab if using the resolver? Do you understand what the resolver does? The resolver walks down from roots to the authoritative server for the domain your looking for. There is zero point of having other dns servers listed if your going to use the resolver. They will never be used, ever!!
Well yeah if you block going to china, and something wants to lookup a domain where the dns in is china your going to have a hard time looking it up.
If you ask me blocking outbound traffic to some country is a bad idea in general. The internet has made the world a small place, you have no idea where something you want to access is hosted. Blocking traffic to whole countries for what reason?? You don't think you will access anything hosted in china for example? Going to cause you grief at some point.
Now if you want to block inbound to your open ports from the top bad countries and you don't really host stuff to the "public" just for your own use, etc. then sure that makes sense. Are you using the block lists for known malware or cc sites, ok - what went there? What was the source IP? Pfsense? What would you be running on your firewall that would be bad code? Need to look up what those IPs you were going to were? If dns queries towards them then they should be nameservers..
-
Thanks, that makes things clearer now. I used the DNS forwarder before and switched to the resolver.
So I can remove that part of the configuration.
For the GeoIP blocking: I do host some services, that should not be reachable from everywhere, but I have switched to use GeoIP for the allowed traffic and did not remove the general inbound rule, because it did not cause me any trouble at that time. I guess I will do some rework of the rules now.Many thanks for your help!
-
Yes this is valid if your hosting services that should only be available to people in say the US. Prob simpler to use inbound firewall rule that only allows the traffic coming from US netblocks in your rules via an aliases, pfblocker is good at this if you just use it as aliases and not letting it mess with your rules. Until its recent issues I was using it to limit access to my ntp server behind pfsense that is member of the pool. But I don't really want or need queries from say china for my ntp that is only meant for North America, etc. So I had a alias from pfblocker to only allow NA ip blocks. And that was working great, but then pfblocker blew up with memory errors and such. I think bcan has fixed it now, I hope but have not had chance to put it back in to test.
If you want to block clients behind pfsense from going somewhere, sure that is fine too. Those rules on your lan should not stop pfsense from doing dns resolving, etc. So pfsense would be able to look up www.somedomaininchina.com. But then the client wouldn't actually be able to go there, and you could log such firewall hits and see exactly which box behind pfsense was trying to go there and on what port, etc.
If you want to post up your rules and what your wanting to accomplish we can for sure discuss best method of putting that into rules.