DNS Firewall Rules

Grimson

@mrwaltman said in DNS Firewall Rules:

If those are current screenshots your in dire need to upgrade pfSense.

Middge

@kom said in DNS Firewall Rules:

Use that doc to force all local DNS to be captured by pfSense. Then either:

1. Configure DNS Resolver in forwarding mode and set it to use your pihole by putting pihole IP address in System - General Setup - DNS Servers, or

2. Disable DNS Resolver, enable DNS Forwarder and set it to use your pihole by putting pihole IP address in System - General Setup - DNS Servers

I tried this and it still let me manually define an external DNS address and Ads were not being blocked. :-(

bmeeks

@middge said in DNS Firewall Rules:

@kom said in DNS Firewall Rules:

Use that doc to force all local DNS to be captured by pfSense. Then either:

1. Configure DNS Resolver in forwarding mode and set it to use your pihole by putting pihole IP address in System - General Setup - DNS Servers, or

2. Disable DNS Resolver, enable DNS Forwarder and set it to use your pihole by putting pihole IP address in System - General Setup - DNS Servers

I tried this and it still let me manually define an external DNS address and Ads were not being blocked. :-(

If you simply are trying to block ads, then why does manually being able to change the DNS setting matter? Simply don't change it. If you are trying to get users you have minimal control over to use a specific DNS provider, then you will want to create some rules on your LAN interface that block everything inbound on TCP and UDP ports 53 unless it is directed at whatever internal DNS you want to use (as others have suggested above, this could be your pfSense box running Unbound in forwarder mode or your pihole server iself). So with this kind of setup, any user who manually changes their DNS server IP will get nothing but DNS lookup timehouts.

mrwaltman

@grimson
Why? Seriously, why?

I am on newest version, that is at the ex's place. Lol, she would not let me have my box because she thought it had private/sensitive info of hers on it! Like, umm, facebook posts or something hahaha.

But really, are you meaning because of the router vulnerabilities or the rulesets?

Grimson

@mrwaltman said in DNS Firewall Rules:

Why? Seriously, why?

Either you are trolling, or all hope for you is lost if you have to ask this.

Middge

@bmeeks said in DNS Firewall Rules:

If you are trying to get users you have minimal control over to use a specific DNS provider, then you will want to create some rules on your LAN interface that block everything inbound on TCP and UDP ports 53 unless it is directed at whatever internal DNS you want to use (as others have suggested above, this could be your pfSense box running Unbound in forwarder mode or your pihole server iself). So with this kind of setup, any user who manually changes their DNS server IP will get nothing but DNS lookup timehouts.

This is exactly what I was looking for. Thank you.

bmeeks

@middge said in DNS Firewall Rules:

@bmeeks said in DNS Firewall Rules:

If you are trying to get users you have minimal control over to use a specific DNS provider, then you will want to create some rules on your LAN interface that block everything inbound on TCP and UDP ports 53 unless it is directed at whatever internal DNS you want to use (as others have suggested above, this could be your pfSense box running Unbound in forwarder mode or your pihole server iself). So with this kind of setup, any user who manually changes their DNS server IP will get nothing but DNS lookup timehouts.

This is exactly what I was looking for. Thank you.

You're welcome. Just note that this method is not foolproof. If someone has access to a DNS server that uses TLS, then you also would need to block port 853. There are other possibilities as well. For plain vanilla non-skilled users, the method I provided is effective. For someone with a bit of skill and the brains to search on Google, they can eventually find a way around. Then it becomes a whack-a-mole game.

mrwaltman

@grimson

Come on man. I'm not trolling. You said,
"If those are current screenshots your in dire need to upgrade pfSense"
I said why, and was serious, and also asked is it because of router vulnerabilities or because of the ruleset, which is what you "quoted" by including it in your response.

I don't need to know the exact vulnerability. I'm sure there are some. But you weren't exactly clear on why I am in dire need of an upgrade.

If you want to see this as trolling, so be it. Regardless though, I won't upgrade that machine because I would be accused of something illegal I am sure if I did, sad as that is. Crazy ex anyway.

KOM

It's always best to keep it updated. If your ex is that crazy, why are you managing her firewall?

mrwaltman

Yeah, on a network device like pfSense I agree. I was asking because the images of the rules were quoted, and it wasn't clear if I had made a really bad error in the rules or if it was just the version being used.

As for the ex, nope, I don't manage it at all. I exported all settings but don't have a box currently at my own place, so I log in to reference it. Haha, she demanded my password for it, I said nope. Told her I would give her a different router for it, she said no. She has no idea at all about what it is haha, only that I want it, and therefore cannot have it.

Regarding updates though, I don't update anything unless there is cause to do so. From router to os to bios, unless there is a definitive security issue, it stays the same. Been bitten WAY too many times by auto updating. Had a mikroTik routerboard that did not get an update, ended up being rooted by someone in china. Reboot cleared it out, but was a good lesson in not being complacent in staying up to date on what is needed.

KOM

Your posted screens looked like the old red theme from the 2.1.x days. And yes, there are definitive security issues with older versions. Remember that everything is based on FreeBSD, so when that gets patches then pfSense needs them too.

What version are you running?

Good luck with your ex.

mrwaltman

That box is
2.1-RELEASE (i386)
FreeBSD 8.3-RELEASE-p11

I'm helping a gal who owns a business who is on a new netgate 5100 which is current build. If I ever get around to wiring my new place with CAT6 I will build up another box myself with the latest, probably one of those little atom based units.

Thanks. I liked my old box, had good hardware and was really quiet. Has a ton of squid stuff in it, kept my kids safe for many years. Smartphones changed everything, but life move's forward :)

KOM

Wow. Version 2.1 was released mid-2013.

https://docs.netgate.com/pfsense/en/latest/releases/versions-of-pfsense-and-freebsd.html

mrwaltman

Yeah if memory serves there was an issue with maybe 2.3 and I had to reinstall everything from scratch. I can't remember what it was, it was a long time ago now. It might have had something to do with schedules or SARG.. I just can't remember but I know when I upgraded I had to reinstall all over, and thankfully I had backed it all up.

2015 was the last time I was there to keep it up I think. I check the box once in awhile, it doesn't spam traffic so maybe it's not been compromised. I originally put it in for both the kids customized rules and to maximize my CoD/BF playing. Boy, did it ever smash the DLink Gamer Lounge I had back then... ah, the good ol' days.