Is this normal behavior?? [SOLVED]
-
HI all
I am somewhat new to pfsense. I am running the latest 2.3RC version.
i recently changed settings on the firewall so i can see both pass and block traffic and noticed that the WAN port is sending out a huge amount of dns queries to seemingly random dns servers.Apr 8 15:36:40 ► WAN XX.XX.30.151:53952 103.49.80.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:34553 156.154.69.196:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:33449 205.251.198.226:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:14588 156.154.100.3:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:44427 213.248.216.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:25581 205.251.195.251:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:39573 156.154.100.3:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:47435 213.248.220.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:60311 205.251.192.147:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:55537 205.251.196.22:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:61296 205.251.192.147:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:7195 205.251.198.83:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:31860 205.251.198.83:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:20857 205.251.198.83:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:47564 213.248.216.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:15292 43.230.48.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:53555 213.248.220.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:31333 156.154.102.3:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:53506 205.251.196.162:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:6698 205.251.192.35:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:10279 205.251.194.98:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:51772 205.251.196.162:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:42833 205.251.194.98:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:28919 156.154.69.196:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:43564 192.54.112.30:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:51211 156.154.69.196:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:21397 156.154.69.196:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:45818 205.251.199.191:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:42784 192.41.162.30:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:41980 205.251.194.2:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:35676 205.251.192.193:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:16242 205.251.199.191:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:56540 199.19.57.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:13826 199.19.57.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:41636 205.251.199.191:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:36637 205.251.194.2:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:45764 192.54.112.30:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:42689 204.13.251.31:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:24825 204.13.251.31:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:17579 204.13.250.31:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:23415 72.21.208.215:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:22834 43.230.48.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:9337 208.78.71.31:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:11791 208.78.71.31:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:41444 208.78.71.100:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:22214 213.248.216.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:25469 213.248.220.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:56297 43.230.48.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:46973 156.154.103.3:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:52460 213.248.216.1:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:13900 208.78.71.100:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:41162 204.13.251.100:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:15560 208.78.70.100:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:38209 204.13.251.100:53 UDP Apr 8 15:36:40 ► WAN XX.XX.30.151:21668 192.43.172.30:53 UDP
IS this normal, or is it something i should be digging into more? None of these address are listed as my primary dns servers. and this is happening about every 15 seconds or so.
Any input would be appreciated.
Thanks
-
Could be DNS Resolver talking to root servers.
-
Thanks for your quick response Kom.
If this is just the dns talking to root servers, shouldn't the requests be going out of my box on port 53, as opposed to a bunch of different random ports?
Sorry if this is a stupid question. I'm just trying to figure this out and make sure i set up the dns resolver correctly.
EDIT: looking at a firewall summary of the last 3244 lines shows that 2296 of them are to port 53
-
No. The source ports of DNS requests must be not only random, but sufficiently random to prevent certain spoofing attacks.
This was big news a couple years ago.
https://www.dns-oarc.net/oarc/services/dnsentropy
-
thanks derelict, i didn't know you could posion dns that way.
So, i've been testing various things, and found this.
If i turn off dns resolver on pfsense and turn on dnsmasq on my router, then i stop get 20-30 outgoing dns requests to random servers, instead i get 5-6 dns requests ONLY to the google nameservers that i set up. Which actually, is the same way i had it set up on pfsense. So that still begs the question, why is pfsense sending all these random dns requests? Could the "Allow DNS server list to be overridden by DHCP/PPP on WAN" have something to do with this behavior?
-
The requests aren't random. It just takes more requests to get the answer into your cache.
The resolver starts at the root and works its way to an answer. Like "Where do I get more information about com? OK, now where do I get more information about google.com? OK, what are the A and AAAA records for www.google.com?"
When you use the forwarder, you are asking a recursive/caching name server for an answer. If it doesn't have it the burden is on that server to do all the recursive work.
Is this normal behavior??
Yes.
-
i understand that the dns has to work through different servers to find the necessary address that you put into web browser. But these requests were going out when nothing was requesting name resolution, nothing was open on the network which should be requesting name/ip address resolution. this was part of the reason i was concerned about it. By the way, i am not using the dns forwarder, was only using the dns resolver. But, if you say that what i'm seeing in the firewall is normal dns activity, then i believe you and thank you for taking the time to answer my questions.
-
If you have any devices live on your network, something's pretty much always going to be doing a DNS lookup of some sort. Applications and OSes checking for updates, numerous other possibilities for background activity, in addition to the usual client-generated lookups.
-
ok, thanks cmb.
As long as everything is working as it should, that's all that matters.
Can you please mark this thread as solved