Firewall rule to block DNS quieries to external DNS servers.

hiotw

Hello all, I am trying to create a firewall rule on the LAN to block DNS queries to external DNS servers except those DNS queries originating from DNS server (192.168.168.1).

So far I have attempted created a rule of

Block TCP/UDP if source IP is not 192.168.168.1 to ANY destination IP using destination port DNS-DNS

The rule doesn't work as I expect and queries from DNS server (192.168.168.1) are blocked.  What am I doing wrong any direction on creating this rule?

On a side note this is the only rule I've implemented.

Perry

Made a small mistake

block  UDP  lan net    *    !192.168.168.1    53      *

ipconfig /flushdns (From windows command prompt)

hiotw

I'm a new user to pfSense so maybe I'm just missing somehting…  Thanks for the suggestion, I modified the rule with no luck all DNS packets are blocked from all hosts except those hosts using pfsense as their DNS server.  ???

Below are the only rules visible via the WebGUI.

Firewall Rules - LAN
         Proto        Source                    Port   Destination   Port          Gateway   Sch.    Desc.
Block  TCP/UDP    ! 192.168.254.245    *       *                53 (DNS)    *             ----     DNS

Firewall Rules - WAN
Default RFC1918

Correct the logic but if a packet reaches pfsense and is processed against the above LAN rule, the firewall should say IF DNS query packet is NOT from 192.168.254.245 BLOCK!  If it matters any, which it shouldn't because DNS is DNS, 192.168.254.245 is a Windows Server 2003 host.

Perry

If i apply you rule on LAN2 LAN3 it works right away
On LAN the Behind the sceen rules takes over.

First make sure that you have the default Lan rule below your block rule so you can access the web gui
Go to System -> Advanced  and tick "webGUI anti-lockout" and save
Then i had to reboot my lan client.

Now you rule should work. Though i can't toggle the rule on and off as i would wish, prolly there is more to the behind the sceen rule that i know of.

hiotw

Thank you for your help.  I did a factory restore and it works as it should now.  I'm not sure what happened to the config, only thing I can think of was deleting the Defualt LAN rule changed the logic of the firewall.  ???

All is well now thanks again, I'm really liking pfsense even better than IPCop!

hiotw

Ok the final resolution was to take the simple route out…  After disabling the defualt LAN rule wich is ANY to ANY DNS once again failed.  Taking the simple route created a block all DNS rule and a single allow DNS rule for aformentioned IP address and communications proceeded as expected.

Network layout

------------                                      ------------              ------------
|  Internet  |  === < ADSL modem | === |  pfSense  | ======  |    LAN    |
------------                                      ------------              ------------

rocky

I used the following rule to block foreign DNS server: (192.168.1.1 is my DNS' ip)

Protocol: TCP/UDP
 Source:
   * Port: *
 Dest:!192.168.1.1
   Port: 53 (DNS) 
 Gateway:*
 Description: block foreign DNS 
Protocol: *
 Source: LAN net
 Source:*
   Port:*
 Dest:*
   Port:*
 Description: Default LAN -> any 

If any client queries to foreign host (for DNS at port :53)) that differs from 192.168.1.1, we block it!

That's ok for me:)