Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking external DNS - rules don't seem to be working

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 496 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leprejohn
      last edited by

      Hello everyone,how are you doing? I was looking into setting up my network to block external DNS queries, however I seem to be having some issues with it not working (it seems to block all DNS queries)

      Here is my rules:
      alt text

      So the way my network is set up I have a windows AD server with a DNS forwarder to my pi-hole VM.

      My pi-hole VM is setup as a recursive DNS server.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by KOM

        Is your Winbox accepting DNS queries from outside its local subnet? It's simple enough to do a packet capture (Diagnostics - Packet Capture) on SKYNET for tcp/53, then do a lookup from SKYWIFI and see if SKYNET sees the packets.

        1 Reply Last reply Reply Quote 0
        • L
          leprejohn
          last edited by 

          From IOT network: to skynet address on port 53

21:19:04.117263 IP 10.10.12.3.50187 > 10.10.11.55.53: UDP, length 48
21:19:04.117733 IP 10.10.11.55.53 > 10.10.12.3.50187: UDP, length 64
21:19:07.247986 IP 10.10.12.3.47418 > 10.10.11.55.53: UDP, length 48
21:19:07.248589 IP 10.10.11.55.53 > 10.10.12.3.47418: UDP, length 64
21:19:07.546812 IP 10.10.12.3.51672 > 10.10.11.55.53: UDP, length 37
21:19:07.547420 IP 10.10.11.55.53 > 10.10.12.3.51672: UDP, length 298
21:19:12.239286 IP 10.10.12.3.43574 > 10.10.11.55.53: UDP, length 37
21:19:12.239893 IP 10.10.11.55.53 > 10.10.12.3.43574: UDP, length 53
21:19:21.558384 IP 10.10.12.2.51572 > 10.10.11.55.53: UDP, length 40
21:19:21.559252 IP 10.10.11.55.64882 > 205.251.197.209.53: UDP, length 57
21:19:21.576366 IP 205.251.197.209.53 > 10.10.11.55.64882: UDP, length 135
21:19:21.576742 IP 10.10.11.55.33810 > 205.251.194.237.53: UDP, length 68
21:19:21.603473 IP 205.251.194.237.53 > 10.10.11.55.33810: UDP, length 333
21:19:21.604101 IP 10.10.11.55.53 > 10.10.12.2.51572: UDP, length 376
21:19:23.369496 IP 10.10.12.3.63403 > 10.10.11.55.53: UDP, length 48
21:19:23.370103 IP 10.10.11.55.53 > 10.10.12.3.63403: UDP, length 64
21:19:26.649016 IP 10.10.12.3.55990 > 10.10.11.55.53: UDP, length 48
21:19:26.649751 IP 10.10.11.55.53 > 10.10.12.3.55990: UDP, length 64

On Skywifi

21:22:08.965527 IP 10.10.12.15.55779 > 10.10.11.55.53: UDP, length 66
21:22:08.965545 IP 10.10.12.15.57186 > 10.10.11.55.53: UDP, length 51
21:22:08.966651 IP 10.10.12.15.59582 > 10.10.11.55.53: UDP, length 66
21:22:08.966658 IP 10.10.12.15.44715 > 10.10.11.55.53: UDP, length 54
21:22:11.122186 IP 10.10.12.3.15291 > 10.10.11.55.53: UDP, length 43
21:22:11.910502 IP 10.10.12.15.58134 > 10.10.11.55.53: UDP, length 56
21:22:11.926855 IP 10.10.12.15.35536 > 10.10.11.201.53: tcp 0
21:22:12.508403 IP 10.10.12.3.16112 > 10.10.11.55.53: UDP, length 67
21:22:14.128611 IP 10.10.12.15.57186 > 10.10.11.55.53: UDP, length 51
21:22:14.128627 IP 10.10.12.15.59582 > 10.10.11.55.53: UDP, length 66
21:22:14.241298 IP 10.10.12.3.15699 > 10.10.11.55.53: UDP, length 34
21:22:14.847205 IP 10.10.12.15.35578 > 10.10.11.201.53: tcp 0
21:22:15.865504 IP 10.10.12.15.35578 > 10.10.11.201.53: tcp 0
21:22:16.110243 IP 10.10.12.3.15291 > 10.10.11.55.53: UDP, length 43
21:22:16.918536 IP 10.10.12.15.58134 > 10.10.11.55.53: UDP, length 56
21:22:17.477481 IP 10.10.12.2.46050 > 10.10.11.201.53: UDP, length 45
21:22:17.512322 IP 10.10.12.3.16112 > 10.10.11.55.53: UDP, length 67
21:22:17.879493 IP 10.10.12.15.35578 > 10.10.11.201.53: tcp 0
21:22:18.694281 IP 10.10.12.3.32283 > 10.10.11.55.53: UDP, length 48
21:22:19.252469 IP 10.10.12.3.15699 > 10.10.11.55.53: UDP, length 34
21:22:19.376396 IP 10.10.12.15.59582 > 10.10.11.55.53: UDP, length 66
21:22:20.115979 IP 10.10.12.15.54276 > 10.10.11.55.53: tcp 0
21:22:21.141521 IP 10.10.12.3.33007 > 10.10.11.55.53: UDP, length 62
21:22:21.147393 IP 10.10.12.15.54276 > 10.10.11.55.53: tcp 0
21:22:21.913838 IP 10.10.12.15.35578 > 10.10.11.201.53: tcp 0
21:22:22.476271 IP 10.10.12.2.45740 > 10.10.11.55.53: UDP, length 45
21:22:23.163257 IP 10.10.12.15.54276 > 10.10.11.55.53: tcp 0
21:22:23.680962 IP 10.10.12.3.32283 > 10.10.11.55.53: UDP, length 48
21:22:24.239027 IP 10.10.12.3.4357 > 10.10.11.55.53: UDP, length 53
21:22:24.626553 IP 10.10.12.15.59582 > 10.10.11.55.53: UDP, length 66
21:22:24.860421 IP 10.10.12.15.41434 > 10.10.11.201.53: UDP, length 56
21:22:24.860429 IP 10.10.12.15.56506 > 10.10.11.201.53: UDP, length 66
21:22:24.860435 IP 10.10.12.15.58691 > 10.10.11.201.53: UDP, length 34
21:22:24.860440 IP 10.10.12.15.58202 > 10.10.11.201.53: UDP, length 47
21:22:24.861670 IP 10.10.12.15.51105 > 10.10.11.201.53: UDP, length 37
21:22:24.861794 IP 10.10.12.15.37181 > 10.10.11.201.53: UDP, length 40
21:22:24.861800 IP 10.10.12.15.45954 > 10.10.11.201.53: UDP, length 59
21:22:26.144446 IP 10.10.12.3.33007 > 10.10.11.55.53: UDP, length 62
21:22:26.657780 IP 10.10.12.2.33285 > 10.10.11.201.53: UDP, length 40
21:22:26.658154 IP 10.10.12.2.50111 > 8.8.8.8.53: UDP, length 40
21:22:26.678514 IP 8.8.8.8.53 > 10.10.12.2.50111: UDP, length 239
21:22:27.291674 IP 10.10.12.15.54276 > 10.10.11.55.53: tcp 0
21:22:27.408856 IP 10.10.12.2.51572 > 10.10.11.55.53: UDP, length 40
21:22:27.428222 IP 10.10.11.55.53 > 10.10.12.2.51572: UDP, length 376
21:22:27.481567 IP 10.10.12.2.46050 > 10.10.11.201.53: UDP, length 45
21:22:27.916571 IP 10.10.12.15.33363 > 10.10.11.201.53: UDP, length 51
21:22:28.706877 IP 10.10.12.3.30796 > 10.10.11.55.53: UDP, length 48
21:22:28.706889 IP 10.10.12.3.17588 > 10.10.11.55.53: UDP, length 67
21:22:28.723742 IP 10.10.12.3.1144 > 10.10.11.55.53: UDP, length 52
21:22:29.263312 IP 10.10.12.3.4357 > 10.10.11.55.53: UDP, length 53
21:22:29.816621 IP 10.10.12.15.52743 > 10.10.11.201.53: UDP, length 47
21:22:29.816634 IP 10.10.12.15.59582 > 10.10.11.55.53: UDP, length 66
21:22:29.859351 IP 10.10.12.15.41434 > 10.10.11.201.53: UDP, length 56
21:22:29.860720 IP 10.10.12.15.58691 > 10.10.11.201.53: UDP, length 34
21:22:29.863718 IP 10.10.12.15.58202 > 10.10.11.201.53: UDP, length 47
21:22:29.863724 IP 10.10.12.15.51105 > 10.10.11.201.53: UDP, length 37
21:22:29.913316 IP 10.10.12.15.35644 > 10.10.11.201.53: tcp 0
21:22:30.337827 IP 10.10.12.15.33579 > 8.8.8.8.53: UDP, length 28
21:22:30.937862 IP 10.10.12.15.35644 > 10.10.11.201.53: tcp 0
21:22:31.351258 IP 10.10.12.15.41408 > 8.8.4.4.53: UDP, length 28
21:22:32.485490 IP 10.10.12.2.45740 > 10.10.11.55.53: UDP, length 45
21:22:32.923738 IP 10.10.12.15.54334 > 10.10.11.55.53: tcp 0
21:22:32.952348 IP 10.10.12.15.35644 > 10.10.11.201.53: tcp 0
21:22:33.714800 IP 10.10.12.3.17588 > 10.10.11.55.53: UDP, length 67
21:22:33.714821 IP 10.10.12.3.30796 > 10.10.11.55.53: UDP, length 48
21:22:33.726419 IP 10.10.12.3.1144 > 10.10.11.55.53: UDP, length 52
21:22:33.944169 IP 10.10.12.15.54334 > 10.10.11.55.53: tcp 0
21:22:34.864397 IP 10.10.12.15.58691 > 10.10.11.201.53: UDP, length 34
21:22:34.864424 IP 10.10.12.15.41434 > 10.10.11.201.53: UDP, length 56
21:22:34.864431 IP 10.10.12.15.59582 > 10.10.11.55.53: UDP, length 66
21:22:34.864437 IP 10.10.12.15.58202 > 10.10.11.201.53: UDP, length 47
21:22:35.962031 IP 10.10.12.15.54334 > 10.10.11.55.53: tcp 0
21:22:37.015808 IP 10.10.12.15.35644 > 10.10.11.201.53: tcp 0
21:22:37.490412 IP 10.10.12.2.47370 > 10.10.11.201.53: UDP, length 64
          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by KOM

            So the DNS request from 10.10.12.15 is reaching 10.10.11.55 and 10.10.11.201, but getting no reply. I think you've got either a Windows firewall issue blocking everything from outside its local subnet, or your DNS server isn't responding to requests from outside its local subnet.

            L 1 Reply Last reply Reply Quote 0
            • L
              leprejohn @KOM
              last edited by leprejohn

              @KOM said in Blocking external DNS - rules don't seem to be working:

              So the DNS request from 10.10.12.15 is reaching 10.10.11.55 and 10.10.11.201, but getting no reply. I think you've got either a Windows firewall issue blocking everything form outside its local subnet, or your DNS server isn't responding to requests from outside its local subnet.

              Strange why 201 is in there this is my old windows AD/DNS VM that I killed when upgrading my Hyper-V host - just checked my pfsense general setup and it seems I forgot to delete that one.

              I'll retest again once I get back into my place :)

              Edit, so I manually changed the DNS to my pi-hole VM however still having the same issue with DNS issues, so I'm not sure how to troubleshoot what is blocking it, on a different subnet/vlan the pi-hole will send back dns queries

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Localize the problem. If via packet capture you can see that the DNS request leaves one network for another and there is no reply traffic, then the problem is with the server itself somehow. Do captures on both SKYNET and SKYWIFI while testing to confirm that SKYNET sees the DNS request packets coming from the requester destined for the DNS server, and SKYWIFI sees the packets going to the DNS server and the reply traffic.

                Are you running any packages that might interfere with local traffic, like Snort, Suricata or pfBlockerNG?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.