DNS Resolver Listening on WAN Despite Configuration
-
Hello pfSense community; I'm looking for some help configuring the DNS Resolver (Unbound).
I've just installed my first pfSense device (2.3.1-RELEASE-p5) and I've noticed that the DNS Resolver daemon is listening on the WAN interface (tested with nmap and nslookup from a remote host). I went to Services > DNS Resolver > Network Interfaces and removed WAN (replacing it with LAN and localhost) but Unbound is still listening on the WAN interface.
I've tried both restarting the service and rebooting the device but the behavior persists. Am I missing another setting that would fix this? Is this the intended behavior?
I could implement a firewall rule to block access to port 53 but that seems like a band-aid as opposed to disabling listening on the port in the first place.
Any help would be greatly appreciated.
-
It won't answer from WAN by default because the rules don't permit it. You're checking from LAN, or have opened up your WAN rules much more than you should.
Check 'sockstat -4' for what it's binding to, and the conf files in /var/unbound/. Guessing your outbound interfaces include WAN, which makes it bind there.
-
Hello cmb, thanks for the reply.
I believe I've narrowed down the cause of the issue to the hotel internet I'm currently using (I'm testing remotely, not from my LAN). I'm pretty sure they're intercepting all DNS queries, which is why my domain is falsely showing as listening on port 53 on an NMAP scan and host/nslookup query. The same phenomenon shows up for other domains that don't serve DNS, e.g., # host google.com cnn.com.
Thanks for the sockstat command recommendation, I wasn't familiar with that one (no BSD experience).
I tried a few permutations with the settings and ended up selecting both LAN and Localhost for Network Interfaces. Sockstat now shows what I would expect, unbound is listening on my LAN IP and 127.0.0.1.
However, NMAP is still showing my WAN interface as listening on port 53 when I test it from the hotel. I'll have to find an unmolested connection to test with and report back, but I'm almost positive that's the cause of the issue.
Thanks for your help.
-
I just checked using my phone's Wi-Fi hotspot; it was definitely the hotel internet interfering. ::)
For reference for anyone else coming across this thread, the default configuration (listening on all interfaces) does not expose the Unbound daemon at all on the WAN interface.
Thanks again.
-
While I agree unbound would not be exposed in a default pfsense out of the box setup. I personally am not a fan of listing on interfaces with services that would not be used on that interface. I would suggest you adjust your unbound setup to only listen on the interface you want it to and to only use the interfaces it needs for queries. Normally that would just be your wan, but it might need to go out your lan interface as well if your doing any sort of domain forwarding to downstream dns, etc.
-
While I agree unbound would not be exposed in a default pfsense out of the box setup. I personally am not a fan of listing on interfaces with services that would not be used on that interface. I would suggest you adjust your unbound setup to only listen on the interface you want it to and to only use the interfaces it needs for queries. Normally that would just be your wan, but it might need to go out your lan interface as well if your doing any sort of domain forwarding to downstream dns, etc.
That's definitely solid advice johnpoz and should be a standard practice. I was just curious to see whether or not it was accessible by default. Thanks again.
-
While I agree unbound would not be exposed in a default pfsense out of the box setup. I personally am not a fan of listing on interfaces with services that would not be used on that interface. I would suggest you adjust your unbound setup to only listen on the interface you want it to and to only use the interfaces it needs for queries. Normally that would just be your wan, but it might need to go out your lan interface as well if your doing any sort of domain forwarding to downstream dns, etc.
The ACLs in unbound provide further protection here. For unbound to answer a query from a random Internet host, it would have to not only be allowed by firewall rules, but you also would have had to add an ACL for 0.0.0.0/0 to Unbound. dnsmasq wasn't quite so strict.
-
That's a good point also; defense in depth! The behavior I was seeing was definitely a problem with the ISP I was using at the time.
Really enjoying pfSense so far. Thanks for the support.
-
Not trying to steal the thread, but reading johnpoz's reply I am a bit confused, unless "only listen on the interface you want it to" means LAN interfaces and "it needs for queries" means outgoing interfaces??
While I agree unbound would not be exposed in a default pfsense out of the box setup. I personally am not a fan of listing on interfaces with services that would not be used on that interface. I would suggest you adjust your unbound setup to only listen on the interface you want it to and to only use the interfaces it needs for queries. Normally that would just be your wan, but it might need to go out your lan interface as well if your doing any sort of domain forwarding to downstream dns, etc.
Using only DNS resolver NOT in forwarding mode, wouldn't the network interfaces to listen to be limited only to LAN (and other OPT interfaces if applicable) and localhost? WAN should NOT be selected?
For the Outgoing network interfaces, a typical home setup would be WAN only?
In that case, what are the DNS servers specified in "System > General Setup > DNS Server Settings" doing? Are they used at all?
Just trying to understand how this works.. :P
-
Yes in your typical setup listen would only be lan or any other local interfaces (opt) say you wifi segment or others. For outgoing queries yes this would typical only be wan.
When using the resolver there would no isp or pubic dns listed, and don't need to put anything in there. Resolver walks down from roots. The only thing you would see in your status page would be loopback (127.0.0.1). You will notice I have a lan and wlan selected, plus a few other local segments you can not see in without scrolling in the ui. And only have Wan selected for outgoing.
Keep in mind if your doing say domain overrides where your pointing to a local dns to resolve some delegated domain would have to select the interface used to get to that other ns for your domain override to work, etc. But in your typical setup it would just be lan for listen and wan for outgoing - the text below where you select is pretty clear on what the controls do.
-
Thanks johnpoz for the very clear response and for confirming what I wanted to do..