PFSense DNS Open Relay?

jcalvert · Sep 20, 2013, 5:44 PM

We just had a scan done by our provider and is reporting that what appears the PFSenses on our network are acting as a DNS Open Relay?

I do not have any DNS Services running, I am only using assigned DNS Servers from our provider in the General Setup and on the OPT1 Subnet DHCP settings

Any ideas?

Thanks,

cmb · Sep 20, 2013, 7:50 PM

Open resolver, yes if you have the DNS forwarder on. Disable it if you don't use it, or if you do, make sure your firewall rules only allow your trusted networks to resolve via it.

stan-qaz · Sep 21, 2013, 12:16 AM

I'm looking at this page: pfsense/services_dnsmasq.php in my v2.1 pfSense.

It looks like I need the DNS forwarder for my LAN since I want to resolve local names from both DHCP assignments and host overrides on my local systems.

In the section below I have "LAN" and "Localhost" selected.

Interface IPs used by the DNS Forwarder for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

Then in the section below I have "Strict Interface Binding" checked.

If this option is set, the DNS forwarder will only bind to the interfaces containing the IP addresses selected above, rather than binding to all interfaces and discarding queries to other addresses.

I thought this would make the internal DNS server invisible to the outside world. If it isn't doing that I need to figure out how to set up firewall rules that will hide the internal DNS server from the WAN interface without messing up pfSense's access to the configured external DNS servers or keeping me from setting and using a different DNS on a couple of my test machines on my LAN.

cmb · Sep 21, 2013, 6:50 AM

As long as you don't have firewall rules on WAN permitting DNS traffic to any of the IPs where you have the DNS forwarder listening, you're fine. You can test here: http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl

kejianshi · Sep 21, 2013, 6:54 AM

8.8.8.8 is open

I am closed. Well - Thats a plus.

stan-qaz · Sep 21, 2013, 4:54 PM

I didn't have any luck getting results back from that test so I tried Google and found one that worked for me.

http://www.thinkbroadband.com/tools/dnscheck.html

Thanks!

kejianshi · Sep 21, 2013, 4:58 PM

Success! We detected your IP address as 198.81.129.107 and did not find an open DNS resolver running.

That one is good too (-: