Looking for help setting up DNS
-
Post up this rule your created. You can have a rule all day long that says lan block tcp/udp. But if you forward into dns running on the lan, its answers would get back out because there is a state created when you forwarded. With udp its not so much a state, but pfsense knows that it sent in a udp packet and responses should be allowed.
So what you want to d is stop users on your lan from doing a query to 8.8.8.8.. Can you post your lan rules please.. Picture is much easier to read.
-
Are you asking for "screen grab" images of pages from the pfSense web GUI? If so, exactly which pages should I be sure to include?
Or is there some text file representation of a pfSense configuration which people prefer to use? I'm new to pfSense, remember, so I may not be extremely familiar with what expert users of the software are accustomed to looking at.
-
Yeah just screen shot of your lan rules
-
OK, here's a screen shot of my LAN rules. Let me know if you want to see anything additional.
-
Well for starters you rules that would allow abound access to dns is not even enabled. That is why its grayed out.
You rules are a mess to be honest. What is that rule that says allow outside access smtp from memory / freedom suppose to do? What it would do is allow outbound access from those IPs in your source alias. Then your two rules below that would allow anything to talk to those dest IP on 25.
Your ntp rule that to 10.0.229.197 not sure what that is suppose to do.. Is Where is this rfc1918 address? I that your local lan? Or another lan or wan of pfsense? A tunnel?
Your first rule blocking to spamhaus? You have that backwards.. That rules says anything in that alias, can not go out your lan.. Why would those IPs be source IP INTO your lan interface?
Rules are evaluated top down, first rule to trigger wins and no other rules are evaluated. This is traffic INBOUND to your lan interface from your lan network.
Your rule allowing smtp to office 365 servers.. Where did you get that netblock 132.245.0.0/16 while a MS network.. There is way more address than that for office365, etc. While I see that would cover some of the 132.245 address here https://support.content.office.net/en-us/static/O365IPAddresses.xml There is sure of a lot more!!!
-
Just for the moment, all I am really asking about is how DNS is being handled in my current firewall setup.
In an attempt to simplify matters for the sake of debugging, I'm temporarily trying to reject all outbound DNS through this firewall — but even that doesn't seem to be working at all (all outbound DNS from my LAN is currently going through). Can you help me figure that out? Once I have this one thing working correctly, I do plan to go back and enable the other DNS rules, but not just yet.
You made a very valid point about my "Spamhaus DROP list" rule, btw — my intent there was to keep anyone on my LAN from sending anything out to any address on the Spamhaus DROP list, and I'm going to fix that rule to put my "Spamhaus DROP list" alias as the destination instead of the source. But again, what I'm really trying to get feedback on right now is DNS. Why is all outbound DNS getting through this firewall right now, even though I thought I had temporarily disabled all outbound DNS rules except for one that I still have enabled that should reject everything?
I would be grateful if you (or anyone else) could help me with this one issue for now.
-
Do u have any rule in floating? While yes your block to dns should be firing, I don't see any hits on it. So is there a floating rule that would allow it, those would be processed before the lan rules.
If you have a nat setup that nats all inbound to pfsense, and there is a firewall rule that would allow it. That could be allowing it as well. So while you have the firewall that is suppose to match up with your nat disabled, you do have a lan rule any any that would allow it. So nats are processed first, and then look to see if any firewall rules allow the nat to actually happen. your any any rule could allow it.
But my first guess and place to look would be your floating tab.
-
I have no floating rules.
I have a NAT rule which takes any DNS request incoming via my WAN interface and redirects it to a DNS server on my LAN.
I had a NAT rule which would take any DNS request incoming via my LAN interface and redirect it to the pfSense firewall. However, I have disabled this rule.
In the status dashboard screen of the pfSense GUI, the "DNS server(s)" item lists two internal DNS servers (on my LAN). Again, as I believe I mentioned earlier, both the "DNS Forwarder" and the "DNS Resolver" are disabled right now.
I did an SSH into the pfSense firewall, and "netstat -rn | grep -w 53" shows nothing listening on the TCP/UDP domain service port. Also, "ps ax" does not show any "dnsmasq" or "unbound" process running.
I did "pfctl -s all", and here are all the entries mentioning the "domain" service (TCP/UDP port 53). My WAN interface is 96.82.71.10 (gateway address is 96.82.71.14). My LAN address range is 10.0.229.0/24; the host 10.0.229.173 in the stuff below is my internal DNS server.
rdr on xn1 inet proto tcp from any to 96.82.71.10 port = domain -> 10.0.229.173
rdr on xn1 inet proto udp from any to 96.82.71.10 port = domain -> 10.0.229.173
pass in quick on xn1 reply-to (xn1 96.82.71.14) inet proto tcp from any to 10.0.229.173 port = domain flags S/SA keep state label "USER_RULE: NAT Redirect inbound DNS to Freedom"
pass in quick on xn1 reply-to (xn1 96.82.71.14) inet proto udp from any to 10.0.229.173 port = domain keep state label "USER_RULE: NAT Redirect inbound DNS to Freedom"
block return in log quick on xn0 inet proto tcp from any to any port = domain label "USER_RULE: Reject other outbound DNS"
block return in log quick on xn0 inet proto udp from any to any port = domain label "USER_RULE: Reject other outbound DNS"It's been a very long time since I've worked with raw "pf" on a BSD box, but I would think the last two entries shown above (the "block return in" lines) would be stopping any DNS queries arriving on my LAN interface. Hence my confusion on seeing that DNS appears to be passing through unchecked from my LAN to the Internet.
I assume I'm probably doing something subtly wrong in the way I'm trying to specify DNS-related actions in several places (LAN rules, WAN rules, NAT, etc.). What I'd really like to find is a "how-to" document describing best practices for DNS management in pfSense. Does anyone know of such a document?
-
Dude you sure your boxes are going to pfsense for outbound access? And not going someone where else or asking something else?
So I put in block dns rule.. You can then see when I query an outside dns, It gets rejected, you can see the reject come back from pfsense. You can see pfsense shows in the firewall tab that this rule has triggered (yours shows 0/0) You can see that its logged.
I would validate where your client is sending the traffic. Sniff on the client validate the mac to where it sending to pfsense as its gateway? This really is clickity clickity. If your not seeing hits to the rule, and getting answers. Then either your going out somewhere else, asking something else than what you think your asking. Or yeah something is messed up with pfsense? Lets for 100% sure validate this traffic is going through pfsense. So sniff on pfsense outbound.. Do you see your query go out??
So you see here my query gets denied, you see pfsense sends the reject. This is sniffing right on the box sending the query to 8.8.8.8..
You can see pfsense logs this, because the rule was triggered and I said to log it.
I then undo the rule and send a specific query to outside dns again 8.8.8.8 and sniff on pfsense wan.. You can see it go out, because its suppose to. So while your saying your clients can query outside, lets validate that.. Lets send a query, sniffing and see exactly how its getting an answer. Unless you have some other rule allowing the traffic or redirecting the traffic this really is clickity clickity its blocked.
-
Thanks. I'm going to rebuild my pfSense box and set up my rules all over again from scratch. Hopefully whatever strange problem I created the first time will mysteriously vanish when I redo everything.
