• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

PFSense DNS Open Relay?

Scheduled Pinned Locked Moved DHCP and DNS
7 Posts 4 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jcalvert
    last edited by Sep 20, 2013, 5:44 PM

    We just had a scan done by our provider and is reporting that what appears the PFSenses on our network are acting as a DNS Open Relay?

    I do not have any DNS Services running, I am only using assigned DNS Servers from our provider in the General Setup and on the OPT1 Subnet DHCP settings

    Any ideas?

    Thanks,

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Sep 20, 2013, 7:50 PM

      Open resolver, yes if you have the DNS forwarder on. Disable it if you don't use it, or if you do, make sure your firewall rules only allow your trusted networks to resolve via it.

      1 Reply Last reply Reply Quote 0
      • S
        stan-qaz
        last edited by Sep 21, 2013, 12:16 AM

        I'm looking at this page: pfsense/services_dnsmasq.php in my v2.1 pfSense.

        It looks like I need the DNS forwarder for my LAN since I want to resolve local names from both DHCP assignments and host overrides on my local systems.

        In the section below I have "LAN" and "Localhost" selected.

        Interface IPs used by the DNS Forwarder for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

        Then in the section below I have "Strict Interface Binding" checked.

        If this option is set, the DNS forwarder will only bind to the interfaces containing the IP addresses selected above, rather than binding to all interfaces and discarding queries to other addresses.

        I thought this would make the internal DNS server invisible to the outside world. If it isn't doing that I need to figure out how to set up firewall rules that will hide the internal DNS server from the WAN interface without messing up pfSense's access to the configured external DNS servers or keeping me from setting and using a different DNS on a couple of my test machines on my LAN.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Sep 21, 2013, 6:50 AM

          As long as you don't have firewall rules on WAN permitting DNS traffic to any of the IPs where you have the DNS forwarder listening, you're fine. You can test here: http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by Sep 21, 2013, 6:54 AM

            8.8.8.8 is open

            I am closed.  Well - Thats a plus.

            1 Reply Last reply Reply Quote 0
            • S
              stan-qaz
              last edited by Sep 21, 2013, 4:54 PM

              I didn't have any luck getting results back from that test so I tried Google and found one that worked for me.

              http://www.thinkbroadband.com/tools/dnscheck.html

              Thanks!

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by Sep 21, 2013, 4:58 PM

                Success! We detected your IP address as 198.81.129.107 and did not find an open DNS resolver running.

                That one is good too (-:

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received