Thousands of outgoing DNS(?) blocked per hour

py

@RonpfS I made sure everything is pointed to my router for DNS, and it in turn obtains DNS from the pfsense box. One of the reasons for going to pfsense was to prevent anything from going to google. Anyway, it hasn't done this since I installed pfsense.

bmeeks

Identify the IP address making the requests to 8.8.8.8 over ports 53 and 853. Should be able to do that by looking at your firewall log (not the pfBlocker log). Filter on destination IP and/or port to make it easier to see the host that is attempting the lookups.

If you have a double-NAT situation with that router you are talking about, then things will get tougher when identifying the local host making the outbound requests.

You really should consider taking that router out of the path and letting pfSense do everything. If you need the router for wireless, then see about converting it to simple AP mode. Most can be reconfigured to do this. Let pfSense do DHCP, routing and NAT.

py

@bmeeks Thanks for the reply.

I've configured the router to log everything that's allowed out. I haven't applied filters, but searching the log for 8.8.8.8 or "google" finds nothing, (seemed faster that way).

Edit: It was by looking at the pfsense firewall that I can see it's coming from my router. No other device seems to be associated with this.

Update: the repeated blocks to 8.8.8.8 seems to have stopped now. The only potential correlation I see is it seems to have stopped about the time I updated Firefox.

Update 2: Spoke too soon: pfBlockerNG still blocking attempts by the router to 8.8.8.8. I note these are coming from random ports on the router.

Otherwise everything appears to be working normally.

Very strange.

py

@bmeeks said in Thousands of outgoing DNS(?) blocked per hour:

You really should consider taking that router out of the path and letting pfSense do everything. If you need the router for wireless, then see about converting it to simple AP mode. Most can be reconfigured to do this. Let pfSense do DHCP, routing and NAT.

I might have to do that, and I know my router can be configured for AP mode. Something new to learn....

Thanks.

johnpoz

@py said in Thousands of outgoing DNS(?) blocked per hour:

and I know my router can be configured for AP mode

Every single wifi router in the world can be used as just an AP.. Disable its dhcp server and connect it to your network via one of its lan ports = AP!

bmeeks

@py said in Thousands of outgoing DNS(?) blocked per hour:

@bmeeks said in Thousands of outgoing DNS(?) blocked per hour:

You really should consider taking that router out of the path and letting pfSense do everything. If you need the router for wireless, then see about converting it to simple AP mode. Most can be reconfigured to do this. Let pfSense do DHCP, routing and NAT.

I might have to do that, and I know my router can be configured for AP mode. Something new to learn....

Thanks.

It all seems to be coming from your router because it is performing another NAT behind pfSense. It is translating all the IP addresses behind it to the router's IP address on its WAN side where pfSense is connected. This is why you really don't want (or need) double-NAT.

realityman_

I'm having the same issue. The source address of the request is a device on my LAN. The destination is google dns. This is from a Samsung device that has google DNS hard coded in it. I have no double NAT on my network. I tried to pull the URL it uses for it's list, and it redirects to some blog page. I'm thinking I'm going to turn the ISC 30 off for now until I'm able to poll the URL and get a proper list back.

Jan 10 20:32:55 [104] 	VLAN50 	pfB_PRI1_v4 1770010781) 	UDP  10.37.50.44:37132 Unknown 8.8.8.8:53 dns.google 	US	ISC_1000_30_v4 8.8.8.8

NollipfSense

@realityman_ You should really start your own thread; however, open all your devices and see which one has a DNS other than pfSense 192.168.1.1...simple!

py

@py I don't have time to re-configure my network right now to switch the router to AP mode, (too many VLANs), but I was able to isolate the problem to the router itself, (disconnected everything and turned off the radios and got same behavior). I also reset the router to default settings, cleared the NVRAM and powered it off for 30 minutes while I rerouted cables in preparation for re-configuring it to AP mode, (again same behavior when it was powered back on).

I would like to know why this particular feed, (ISC_1000_30_v4), is listing this behavior as malicious. Hopefully that may give me more information as to what it is I'm up against, and perhaps a way to fix it. I haven't found a place on the ISC website that specifies such things.

Again, if it's of any use, this started in the wee hours of Friday morning.

Any help appreciated.

RonpfS

If you want to let the traffic go thru, you can suppress it.

If you have to restrict DNS traffic out, there is a way to redirect all DNS traffic to pfsense using FW Rules.
https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

py

@RonpfS said in Thousands of outgoing DNS(?) blocked per hour:

If you want to let the traffic go thru, you can suppress it.

If you have to restrict DNS traffic out, there is a way to redirect all DNS traffic to pfsense using FW Rules.
https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

Thanks, but I'm pretty sure this is not legitimate DNS traffic or the ISC_1000_30_v4 feed of pfBlockerNG would not be blocking it.

Would it?

The last thing I want is DNS queries going to google so I have incorporated the config at that link and I'll see what happens.

RonpfS

@py said in Thousands of outgoing DNS(?) blocked per hour:

the ISC_1000_30_v4 feed of pfBlockerNG would not be blocking it.

Well my ISC_1000_30_v4 table only has on ip : 45.76.66.122

From my log file :

[ PRI1_ISC1000_30_v4 ] [ 01/11/20 20:15:07 ]
				( md5 feed )		 cURL Error: 28
Operation timed out after 15007 milliseconds with 0 out of 0 bytes received Retry in 5 seconds...
. cURL Error: 28
Connection timed out after 15005 milliseconds Retry in 5 seconds...
. cURL Error: 28
Connection timed out after 15023 milliseconds Retry in 5 seconds...
.. unknown http status code | 0
	Failed to download Feed for md5 comparison!	Update skipped

...


[ PRI1_ISC1000_30_v4 ]		 Downloading update .. 200 OK. completed ..
[ pfB_PRI1_v4 PRI1_ISC1000_30_v4 ] No IPs found! Ensure only IP based Feeds are used! ]

Trying to open the URL in a browser fails. Maybe the web site changed the location of the date, or maybe the data is no longer provided.
Just disable the URL for now.

py

@RonpfS Realized pfBlocker IS NOT snort or suricata, which is what made me think it was not DNS lookups. Implemented the suggested DNS redirect from those links and the constant DNS hits to pfsense stopped, thanks.

I don't know why 8.8.8.8 would be listed in a pfBlockerNG feed, but I'm grateful it was because it made me aware of some mis-configurations in my network.

netgateMatthew

I'm new to using pfBlocker (about 3 weeks now) and poking around today I noticed something in my pfBlocker setup that might explain what you are seeing. In the pfBlocker Reports->Alerts->Alert Settings (which is normally a collapsed menu when you open the tab), there is a selection for a DNS IP address to use for resolving whitelist CNAMEs. In my configuration this was set to 8.8.8.8, which is not the same DNS address my DHCP server hands out.

This setting seems to be specific to pfBlocker, defaults to 8.8.8.8, and is normally on a collapsed menu that you might not normally think to mess with. I changed my selection today and I'll watch access to 8.8.8.8 for a while.

Matthew

RonpfS

This DNS server will only be used when you use the Alerts Tab "+" icon to whitelist a Domain.