Block DNS requests
-
I've got a bunch of gizmos (with DHCP leases) apparently trying to skirt using a DHCP-assigned internal DNS and use external servers. Chromecasts, camera gateways and other IoT-sort of gizmos.
What are the downsides to blocking/redirecting them? As in, would it be workable to set up an alias of the device IPs and set up a firewall rule to handle them? Would setting up a passive port forward redirect back to an internal DNS server work?
I've set up one rule with an alias for a group of hosts allowed DNS access. Seems to work nicely. They're successfully making direct external DNS queries.
Also set up a rule with another alias of blocked hosts, without logging. This to at least temporarily cut down on their spamming the log.
Leaving a generic all other hosts blocked rule in place, to at least see what, if anything, else tries to make DNS queries directly.
Any downsides to setting up a NAT port forward rule to redirect LAN requests on port 53 to an internal DNS server? Do the port forward rules come after the regular firewall rules?
-
Unless the DNS requests made by said gizmo can only come from their custom DNS server, there isn't really a downside to redirecting them.
This is what I prefer to do:
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
Any client that requests DNS from a remote address other than the firewall, gets redirected to the DNS service on the firewall (resolver or forwarder, pick your poison)