Precenting insecure DNS on port 53 and DNS over TLS - questions
-
I'm following the pfSense documentation about preventing insecure DNS traffic, but I'm unsure about a few things.
From Blocking External Client DNS Queries page:
"DNS over TLS: (...) This traffic can be blocked with a firewall rule for port 853 using the same procedure used for 53. Though if the firewall will not be providing DNS over TLS service to clients, do not add the pass rule."
What are DNS over TLS services to clients are? If I am using a custom DNS server and/or a VPN, this means that my firewall is providing DNS over TLS service to clients?
From the Redirecting Client DNS Requests page:
"Note: If DNS requests to other DNS servers are blocked, such as by following Blocking External Client DNS Queries, ensure the rule to pass DNS to 127.0.0.1 is above any rule that blocks DNS."
How can I ensure that this rule is above others? What is this exactly means?
"Tip: This can be adapted to allow access to only a specific set of DNS servers by changing the Destination network from “LAN Address” to an alias containing the allowed DNS servers. The Invert match box should remain checked."
In this case instead of the "LAN Address" I should type the IP address of the DNS server in the same field, is that correct?
-
@sensibleuser Rules are processed in order on an interface.
So if you are trying to block DNS servers on the Internet, something like this on LAN:
Allow to This Firewall port 53 tcp+udp
Block to any port 53Re DNS over TLS, see https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-config.html “ Enable SSL/TLS Service” and the next section about the certificate.
-
@SteveITS Why not simplify it and use the "Invert Match" option and just create a single LAN rule blocking TCP and UDP port 53 not to "This Firewall"?
-
@NickJH Then it would work because the default allow-to-any on LAN would allow :53. I guess I just prefer to be more specific. :) (it wouldn't work on other interfaces unless an allow rule was added because they don't have a default rule)
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote 👍 helpful posts! -
@SteveITS More powerful and less intrusive would be a redirect - https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html. Then the clients would not even notice their DNS is being hijacked, rather than having them trying to fathom out why they have no DNS,
-
@SteveITS said in Precenting insecure DNS on port 53 and DNS over TLS - questions:
I guess I just prefer to be more specific
I agree, specific is always better. While bang rules can work - if possible its better to be very specific in what you allow and deny..
-
Out of curiosity. If you are using a dual stack. Could you put. 127.0.0.1 and ::1 in an alias. And use that in a DNS redirect rule?
-
@Uglybrian You'd need two NAT rules for IPv4 and IPv6 anyway, they can't be combined.
