Logs full of: PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt

smoothmove

Hi, I'm a regular IT type who is interested in securing my home network. I've used pfsense for a while (used to be smooth wall express v3) but once set up I've largely just let it be and kept it up to date etc.

I've since installed a new hard drive and restored from an old backup and I've noticed loads of these messages filling up logs (Status>System Logs>System>General)

Messages:

[3:19187:7] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} x.x.x.x:53 -> x.x.x.x:53705

Are these logs an indication that I've been a victim to some sort of attack or poisoning?

I'm not sure what information to provide so I'll try and be as comprehensive as possible in the hopes that someone can offer some help or advice.

• I've tried my ISP's DNS, OpenDNS and Comodo DNS, and get the same logs with each

• System>General Setup = DNS Server Override is ticked

• System>General Setup = Disable DNS Forwarder is unticked

• I'm using pfblocker and I understand that this needs DNS Resolver to work, hence DNS Resolver is ticked, and DNS Forwarder is unticked

• Services>DNS Resolver>General Settings>Network Interfaces = All

• Services>DNS Resolver>General Settings>Outgoing Network Interfaces = All

• Services>DNS Resolver>General Settings>System Domain Local Zone Type = Transparent

• Services>DNS Resolver>General Settings>DNSSEC = ticked

• Services>DNS Resolver>General Settings>DNS Query Forwarding = unticked

• Services>DNS Resolver>General Settings>DHCP Registration = ticked

• Services>DNS Resolver>General Settings>Static DHCP = unticked

• Services>DNS Resolver>General Settings>No custom options

• Services>DNS Resolver>Advanced Settings>Hide identity and Hide version are both ticked, prefetch support and DNS Key are both unticked

• Services>DNS Resolver>Advanced Settings>Harden DNSSEC is ticked

Firewall rules for LAN are:

protocol.            source  port    destination      port  gateway  queue    description
ENABLED:  IPv4 TCP/UDP -      LAN net  *    LAN address        53        *          none    (Allows DNS from LAN Clients to pfsense DNS)
DISABLED: IPv4 TCP/UDP -        *        *              *              53        *          none    (Blocks all other DNS)

Firewall rules for OPT are:

ENABLED:  IPv4 TCP/UDP -          *        *    208.67.222.222  53      *          none    (Allow OPT interface OpenDNS 1)
ENABLED:  IPv4 TCP/UDP -          *        *    208.67.220.220  53      *          none    (Allow OPT interface OpenDNS 2)
DISABLED: IPv4 TCP/UDP -          *        *            *                53      *          none    (Block all other DNS)

On a side note, am I also right in thinking that the host overrides in Services>DNS Resolver>General Settings are the internal host names for devices on my internal network? I've got an entry in there and it just doesn't resolve, yet another one does!. I'm confused…

Please be gentle... If you need any further information, please ask.

johnpoz

So your running SNORT I take it..  But zero mention of that in your OP.. Those log entries is just your typical IPS noise, which there will be a shitton of if you don't trim down your rule sets ;)

So you want your clients to use opendns?  Your allow outbound to them on your opt interface?

So you tell pfsene not to use itself for dns, how would it resolve anything local?

What exactly do you want to do with dns?  If your running pfblocker and you want to use some of its proxy features then sure you need to use unbound..  If all you want to use it for is aliases then no you don't have to use unbound.

Do you know the difference between a resolver and forwarder??

smoothmove

Yes, I'm running snort - sorry johnpoz!
I agree there's a lot of noise and loads of stuff I don't fully understand on the snort side… Why do I have it I suppose is a valid question?! My answer would be I suppose I can decipher some of it I guess...

I'd prefer one interface to use the OpenDNS Family Shields IPs. All other interfaces can just use the regular OpenDNS IPs. However when I used the family shield IPs last night, I couldn't browse out at all to the internet from a client on the OPT interface. Changing them back to the regular OpenDNS IPs worked - either way I still got those messages in snort. Anyway, the OPT interface is to be used by an 11 year old who has previously had no internet access.

I do want to be able to resolve local devices via DNS but I'm confused. Am I right in thinking that my local device names will be passed up to the DNS servers up stream so to speak i.e. the OpenDNS servers. Obviously I don't want that as I don't run any servers that need internet access.  At the moment I can browse to my pfsense box via DNS name and I can ping DNS names but not others...

Additionally am I right in thinking that in order to block comms between LAN/OPT/DMZ interfaces, I need to specifically add in a block rule to block lan net to dmz net etc?

I don't know the difference between a resolver and forwarder but I'm looking it up right now. I only used the resolver since pfblocker said I had to... I only use pfblocker to block ad servers and other such crap.

doktornotor

Are you running TMG Firewall somewhere? If not, disable or modify the rule(s) to not alert you of useless crap.

johnpoz

"Additionally am I right in thinking that in order to block comms between LAN/OPT/DMZ interfaces, I need to specifically add in a block rule to block lan net to dmz net etc?"

Well would depend.. Out of the box when you create an OPT interface pfsense puts NO rules on it, so everything would be blocked hitting that interface.. As to specific block rules and such.. Depends on what if any traffic you want to allow between your different segments and what direction this traffic will be imitated from

Rule are evaluated top down on the interface they enter pfsense on.  First rule to trigger wins, no other rules are looked at.  There is an explicit deny at the end if no rules trigger on an interface then that traffic would not be allowed.  This is on every and all interface.

" Am I right in thinking that my local device names will be passed up to the DNS servers up stream so to speak i.e. the OpenDNS servers. "

No your not right in thinking that… Always just blows my mind how internet is useless without dns, and everyone uses it every single day on every single connected device they own.  Yet seems nobody understands even the basic concepts of how it works ;)  Just freaking blows my mind!!!

If you want your clients to resolve your local devices by name and not broadcast for them.. Then you need to use a nameserver (dns) that can resolve them for you - ie pfsense.  Having a client ask opendns or googledns is not going to be able to resolve your local devices by name other than via broadcast.  So if those other devices are on other network segment that is not going to work!!

Setting your clients to have 2 dns, ie pfsense and something public is not going to work because you can never be sure which dns your client is going to ask.  And it sure doesn't ask them in order or both at the same time, etc.  There are differences in depending on what OS your client is using..  But in the big picture your clients should only ever use nameservers that can resolve the same stuff.  If what your wanting is to resolve public stuff - then sure you could use opendns, googledns, 4.2.2.2 since any public dns can and should be able to resolve all public domains..  But they are not going to be able to resolve your local stuff.

So if you want to resolve local stuff - then your clients have to ask your local dns.. You could get fancy and setup more than 1 that have the same local data.  But in your typical soho type setup there will be 1.. Pfsense if your wanting to run pfsense..

So your clients ONLY ask pfsense!!!  This is how pfblocker ad blocking works you have to be asking pfsense using unbound..  Now you can setup unbound to resolve, or forward.  If you want to forward to opendns you can do that.  But your clients need to only be asking your local dns first if they want to resolve local.  Then you setup your local dns to either forward or resolve..

If you have no rules on OPT, but any any on lan for example.. And LAN creates the connection to something in OPT, the state that pfsense creates would allow the return traffic.

While I commend wanting to learn about IPS/IDS - unless you know what your doing its going to be very painful!!!  I would suggest you turn it on in MONITOR mode only!!!  This can report on stuff that it sees, but will not block anything.  This allows you to trim down the noise before you actually go into IPS mode..  IPS is not something for hey that is what a mask is, oh that is tcp traffic, and that is udp.. but really don't know what the difference is ;)

pfblocker is a great package when used correctly and understanding what it does..  But to be honest it can be quite confusing to someone that is just learning about networking/firewalling/etc.. Letting it autorule shit is prob going to break stuff if you want my honest opinion, no offense bcan!!  Wanting to run an adblocker that is dns based without understanding how dns works is just asking for trouble if you ask me!!  Most likely going to break shit again!!!