Port 53 (DNS)
-
So I'm not yet a "propeller head" when it comes to Firewalls and rules... but I'm getting it sorted out.
puzzle I've observed .. I have a port alias called Browsing - that has ports 53, 80, 443, 8080 defined. 53 is DNS ... 8.8.8.8 & 1.1.1.1 are DNS servers ...
So I have a firewall rule setup that Pass protocol TCP/UDP from LAN Subnets to to any port
Dest any port the alias'd ports 53, 80, 443, 8080. and have disabled the two IPv4&6 default rules ... and browsing works ...however ping to 8.8.8.8 or 1.1.1.1 doesn't (I know what you're thinking) but DNS is not working as I can't ping google.com - as it doesn't know it.
When I disable my "locked down browsing rule and re-enable the IPv4 default rule that is a messy any any any any rule ... it all works again.
What am I missing?
-
@Tacyon did you allow just tcp/udp? ping is icmp so no you wouldn't be able to ping 8.8.8.8 or anything because your not allowing icmp.
-
DNS should still work in that situation though. So a client should resolve google.com and try to ping that IP and fail.
If DNS isn't working your firewall rule is incorrect. Post a screenshot of it.
-
So I surmised that browsing rule that is TCP/UDN and among other ports, 53 (DNS) is present. And while wasn't able to "ping" the IP address of cloudflare or google's DNS server .. the base function should still work (as @stephenw10 stated( and wasn't.
How does or what is the relationship of the DNS settings in General/DNS Server Settings - shouldn't this allow for DNS to function from the LAN when a rule doesn't pass it either by IP or port (53) ?
Or does there need to be something else added to be reference by this "local" DNS for the DHCP etc. ?I cite this ... "Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled."
-
@Tacyon said in Port 53 (DNS):
shouldn't this allow for DNS to function from the LAN when a rule doesn't pass it either by IP or port (53) ?
Do you have a rule that allows your clients to talk to pfsense IP add on the lan on 53?
Without actually showing us your rules its really hard to if they are correct or not.. Or what issues they might cause..
-
Yes by default the server set in general settings don't do anything. pfSense resolves directly (Unbound in resolving mode) and clients are passed the local interfaces address to query against that.
Do you see blocked traffic in the firewall logs? Your rule probably isn't matching as you intended it to.
