Best way to intercept DNS traffic?
-
Nice idea.
Either use the approved DNS server (pfSense forwarder) or get blocked.
Like it.Firewall: Rules LAN (after anti-lockout rule and before other pass rules) Actions: block & log Proto: IPv4+6 TCP/UDP Src Addr: * Src Port: * Dst Addr: ! LAN address Dst Port: 53 (DNS) Gateway: * Queue: none Description: Block unapproved DNS servers rule
-
That is simple enough it should be a checkbox somewhere in the GUI!
-
The 'block all other DNS traffic' solution or the 'port forward DNS to localhost' solution?
Port forwarding looks like exactly what dhatz was after. I guess it comes down to what you want your users to see. By port forwarding users would not know they're connected to local DNS instead of their chosen external DNS server (if they chose it intentionally). Blocking other DNS servers lets them know that only local DNS service is allowed. Perhaps it depends what sort of users you have. ;)Steve
-
The 'block all other DNS traffic' solution or the 'port forward DNS to localhost' solution?
Port forwarding looks like exactly what dhatz was after. I guess it comes down to what you want your users to see. By port forwarding users would not know they're connected to local DNS instead of their chosen external DNS server (if they chose it intentionally). Blocking other DNS servers lets them know that only local DNS service is allowed. Perhaps it depends what sort of users you have. ;)Steve
This is the solution i needed i think! Not block the dns queries when someone manually changes the dns, but whatever dns manually inserted it should always use the pfsense dns without being cut off.
What would be the best configuration for this solution? simply forward the 53 port on the pfsense ip?Thank you.
-
The port forward setup is explained in the lined post, http://forum.pfsense.org/index.php/topic,60925.0.html, and the blog post linked there: http://www.interspective.net/2012/07/pfsense-ntp-and-network-sneakery.html
Looks simple enough, though I've never tried it. :)Steve
-
"when someone manually changes the dns"
In a corp setup - users should not even be able to change dns in the first place. And if they did, since in most corp setups only the proxy can go out anyway - what point would it be, they still are not going anywhere.
And again in a corp setup, it would be common practice to block all outbound traffic, even if you were allowing direct access outbound by user machines - not common enterprise/corp setup only specific ports would be allowed. Even if you allowed users direct access, and change their tcp settings and point to outside dns - what good would it do them? If they are not pointing to their AD dns, they are going to have issues, etc.
In a normal corp setup intercepting of dns seems pointless, in a home setup I don't see the point either? So this comes down to ma and pop type setups??? That are at a cross roads of moving into that next phase of their it controls?
Just trying to get a handle on what sort of setup would want to intercept dns traffic?
Can someone describe their IT control policies and sort of company/location where you would want to intercept dns vs just block it? I would assume a place that is looking to prevent outside dns would also be at a place where they are using a proxy for users to filter content? If that is the case then all traffic other than proxy outbound should be blocked, etc.
-
With the current trend for allowing users to bring their own devices and use them on your network I can see this may be useful. If only a few of those are using some manually configured DNS server it would make thing easier for everybody if that device continued to function without having to make any changes.
I agree it's perhaps a fairly rare occurrence. Having the option to run this setup or not can only be good thing, no?
Steve
-
Sure options are always a good thing, just trying to understand where redirection of 53 would be of use. Redirection has many uses.. Just trying to get my head around where you want to do it on dns?
Lets say it is BYOD - wouldn't they be dhcp to get on your network, so you would be giving them a dns server to use ;)
Letting users manually configure IPs seems like a really bad idea ;) If your letting the BYOD, but you don't want them using outside dns? Seems odd sort of setup to me..
-
Like I said, fairly rare!
I used to have use external DNS servers that could be reached from anywhere after having trouble with VPN connections on a laptop I had at the time. I'm not doing that now.
Users may be using an external DNS server for content filtering perhaps.
If you're going to allow BYOD (and that seems to be the done thing these days) you've got to expect and allow for all manner of weird configurations. If you can do this and people devices 'just work' that's one less support call you have to field. Is there a disadvantage to this setup?
Steve
-
I don't see a problem with redirecting or blocking external DNS servers since the one in pfSense seems to be working well and I have it pointed to upstream DNS servers that I trust. Having a radio-button for Open, Blocked or Redirected DNS still seems like a handy thing for new users and folks that don't want to be creating their own firewall rules.
The reason I'd consider blocking access to external DNS servers is the number of reports of problem DNS servers out there that could cause a user to connect to a machine other than the one they think they are connected to. I'm not sure I need this here since almost every machine is a Linux of BSD system but we do have one XP box and one Android device running. I'm not sure what our Dish Network satellite TV boxes are doing or our Sonos music system are using, they do use my DHCP server but I haven't looked at what they are actually connecting to. Guests get offered use of a spare Linux box or a dedicated guest WiFi access point on its own LAN so they aren't a threat to my systems.
-
Of course there are apps/devices that can benefit by submitting DNS query to specific server.
Take a Roku device for example. It uses the DHCP supplied DNS server (pfSense Forwarder), but also submits a www.google.com query to google TCP DNS 8.8.8.8. Which in my case at lease provides a different set of servers that ping in at 18 ms rather than 148 ms for the ones provided by Level 3 (pfSense DNS forwarder).
That's pretty wordy. May have to read through it a couple times.
There are lots of possibilities. To each there own.