DNS Blocking stops internet

sTaLa

Hello,
I am trying to setup some malware site blocking using pfBlockerNG. I followed "Lawrence Systems" instructions but have a problem. Whenever I activate the "Block All other DNS" rule, none of my device can resolve a DNS Server and thus do not have access to the internet.

See picture.

Can you guys help me on that?
Thanks!

Gertjan

Hi,

DNS is not only UDP, it can only use TCP.

Several threads are ongoing about this subject, for example https://forum.netgate.com/topic/139771/setup-dns-over-tls-on-pfsense-2-4-4-p2-guide/67?_=1603282378283

The last two links tell you what should/could be done.

johnpoz

What is the point of lan net, vs lan address in your allow dns rule? While sure pfsense lan address falls under lan net. Rules should really be specific..

If your client is not asking pfsense for dns, then yes that bottom rule would stop it from talking to some other dns server.

NeoDude

Why not just use a NAT rule to redirect any traffic going to port 53 to 127.0.0.1:53?

sTaLa

Hello,
I tried to figure it out but it does not work at all. Basically I am trying to follow the tutorials below. They all indicate to for the DNS resolving to be manged by pfBlockerNG. But wathever I try, my device cannot access the internet as soon as I turn on the rule "Block All other DNS".

Could someone help me figure it out?

Thanks!

https://www.youtube.com/watch?v=Dqe7W_mtrH0

https://www.youtube.com/watch?v=QwFpMwXEK5w

bmeeks

How do you have your clients configured for DNS? Are they all set for DHCP? Is the DHCP server they are accessing configured to send back the pfSense firewall's LAN IP address as the DNS Server IP? If any of the clients have static IP addressing, what DNS IP are they configured for?

A quick packet capture on your LAN interface looking for inbound port 53 traffic from LAN hosts would help you see if your clients are actually asking pfSense for DNS info. Perhaps they are attempting to bypass pfSense and go to 1.1.1.1, 8.8.8.8 or something similar ???

provels

@NeoDude said in DNS Blocking stops internet:

Why not just use a NAT rule to redirect any traffic going to port 53 to 127.0.0.1:53?

That's what I do.

sTaLa

Hey thanks for your help!

As you can see below, my clients are configured DHCP for the both the IP and DNS.
You might be onto something though. I configured pfSense to use 1.1.1.1 and 1.0.0.1. Could that be the cause of the issue? Does pfBlocker use its own DNS Server and I need to delete my DNS Settings? I tried and I need to have at least one DNS Server in the General Setup Tab.

I am sorry I do not understand the redirecting rule to 127.0.0.1. Is it the virtual IP that pfBlocker redirects the traffic to?

Thanks again!

bmeeks

@sTaLa said in DNS Blocking stops internet:

Hey thanks for your help!

As you can see below, my clients are configured DHCP for the both the IP and DNS.
You might be onto something though. I configured pfSense to use 1.1.1.1 and 1.0.0.1. Could that be the cause of the issue? Does pfBlocker use its own DNS Server and I need to delete my DNS Settings? I tried and I need to have at least one DNS Server in the General Setup Tab.

I am sorry I do not understand the redirecting rule to 127.0.0.1. Is it the virtual IP that pfBlocker redirects the traffic to?

Thanks again!

The correct configuration for the DNS Server setting in your case would be to put 127.0.0.1 in the DNS Server IP box to point pfSense to itself and thus the unbound resolver.

Next, be sure you have the DNS Resolver in pfSense set to resolver mode. That is the default unless you have changed it.

Lastly, since you put the 1.1.1.1 DNS IP in the pfSense setting, that likely means that DNS IP was pulled into the DHCP Server configuration and thus your clients are being told via DHCP to use 1.1.1.1 for DNS lookups instead of the pfSense firewall. Go to the DHCP Server settings tab and make sure the LAN IP address of the pfSense firewall is being handed out as the DNS Server IP for DHCP clients.

sTaLa

You were right about my DHCP Server overwriting the DNS Server. It was set to 1.1.1.1, so my client was still using the wrong DNS server.

I input the correct information and confirmed that my Windows client was using 127.0.0.1 by using "ipcfonig /all" in cmd.exe.

Now though Windows telling me the DNS Server does not have access to the internet. So it seems I did something wrong again...

Below is a screenshot of my general setupt screen as well as the DNS Resolver screen.

Thanks again!

bmeeks

@sTaLa said in DNS Blocking stops internet:

You were right about my DHCP Server overwriting the DNS Server. It was set to 1.1.1.1, so my client was still using the wrong DNS server.

I input the correct information and confirmed that my Windows client was using 127.0.0.1 by using "ipcfonig /all" in cmd.exe.

Now though Windows telling me the DNS Server does not have access to the internet. So it seems I did something wrong again...

Below is a screenshot of my general setupt screen as well as the DNS Resolver screen.

Thanks again!

127.0.0.1 is the universal localhost IP. That means the specific local machine, not another host on the network. You should do a Google search on the "127.0.0.1" term to see what it really is and how it is used.

I don't mean to offend, but it sounds like you are very inexperienced with networking and firewall administration.

In the DHCP Server settings in pfSense you need to put the IP address of the LAN interface of pfSense into the DNS Server IP box. That way your local clients then get a network routable IP for DNS. So for example, if your pfSense LAN interface IP is 192.168.0.1, then you will put 192.168.0.1 in the DNS server IP box on the DHCP Server configuration page. You configure this on the SERVICES > DHCP SERVER menu option down in the Servers section.

sTaLa

@bmeeks
No offence taken. I am inexperienced, but I am getting the hang of it more and more. I was recently able to setup my VLANs, site-to-site VPNs, limiting schedule for the kids and many other stuff at home and at work.

At work I am using Meraki and HP and can get going without too much trouble. One of my issues with pfSense is that I do not find the GUI intuitive. That summed up with my inexperience do not make things always easy for me. But I usually need to get told something only once. I am getting more and more proefficient with networking, but firewall administration is an other story.

I think I have it set correctly now. The DNS server of my clients is now the Gateway of the LAN. Adblocking does not seem to be applied by pfBlocker, but porn sites are blocked so I am getting there.

Thanks again