FW log flodded with DNS requests



  • Hi,

    I have a strange issue with my pfsense. The FW log is flooded periotically with DNS requests, but I cannot find the source.
    They are not initiated by my local network, as far as I see, and a packet capture does not show capture it either.
    Anyone know where this is coming from?

    My DNS is set up to use 3 static DNS servers only.

     	Sep 5 09:45:07 	WAN 	<wan-ip>:46694 	122.225.217.193:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:30081 	220.249.242.11:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:29453 	182.140.167.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:16871 	183.60.57.177:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:19369 	182.140.167.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:9243 	125.39.213.168:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:5563 	122.225.217.193:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:31755 	220.249.242.11:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:39992 	125.39.213.168:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:39103 	122.225.217.193:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:59141 	122.225.217.193:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:38383 	125.39.213.168:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:31187 	115.236.151.178:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:60919 	111.30.132.180:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:62901 	182.140.167.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:45789 	115.236.151.178:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:33931 	180.153.162.151:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:11065 	180.153.162.151:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:32045 	180.153.162.151:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:31755 	180.153.10.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:47522 	180.153.10.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:45675 	14.215.150.11:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:25721 	182.140.167.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:18749 	182.140.167.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:23751 	180.153.10.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:62950 	111.30.132.180:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:18229 	220.249.242.11:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:64475 	111.30.132.180:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:4299 	180.153.10.167:53 	UDP
    	Sep 5 09:45:07 	WAN 	<wan-ip>:23057 	115.236.151.178:53 	UDP</wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip></wan-ip>
    

  • Rebel Alliance Global Moderator

    So that sure looks like traffic your sending vs getting.. Src IP:port would be the first entry.. Your logging your outbound pass traffic?  Post up the actual log entry screenshot.  And set your firewall rule to list the rule.

    Also if the traffic is being logged then you could capture it via sniff.  So if your saying your not seeing it in sniff then your doing your packet capture on the wrong interface wrong port, etc.. ie your filters are wrong..

    As to what you set for dns??  So your using forwarder and not resolver?  Resolver would talk to roots, and talk to all kinds of dns server.. You don't have your dns open on your wan do you.. If so you could being used in a dns amplification attack..  Post your wan firewall rules.



  • I am actually using resolver. So this is normal, even if I have added DNS servers in the general tab?

    I don't log the allowed traffic. The DNS requests were blocked by a floating rule created by pfblockerNG based on GeoIP.

    I created floating rules to log all DNS traffic from my internal networks to the firewall and placed it before the one from pfblocker, but I did not get any requests from LAN at that times.

    The sniff i took was from WAN interface and limited to port 53. I did not see the blocked traffic there, but DNS requests to other servers (not configured in the system). DNS is only enabled on my LAN interfaces + localhost.


  • Rebel Alliance Global Moderator

    Why would you have dns servers in your general tab if using the resolver?  Do you understand what the resolver does?  The resolver walks down from roots to the authoritative server for the domain your looking for.  There is zero point of having other dns servers listed if your going to use the resolver.  They will never be used, ever!!

    Well yeah if you block going to china, and something wants to lookup a domain where the dns in is china your going to have a hard time looking it up.

    If you ask me blocking outbound traffic to some country is a bad idea in general.  The internet has made the world a small place, you have no idea where something you want to access is hosted.  Blocking traffic to whole countries for what reason??  You don't think you will access anything hosted in china for example?  Going to cause you grief at some point.

    Now if you want to block inbound to your open ports from the top bad countries and you don't really host stuff to the "public" just for your own use, etc.  then sure that makes sense.  Are you using the block lists for known malware or cc sites, ok - what went there?  What was the source IP?  Pfsense?  What would you be running on your firewall that would be bad code?  Need to look up what those IPs you were going to were?  If dns queries towards them then they should be nameservers..



  • Thanks, that makes things clearer now. I used the DNS forwarder before and switched to the resolver.
    So I can remove that part of the configuration.
    For the GeoIP blocking: I do host some services, that should not be reachable from everywhere, but I have switched to use GeoIP for the allowed traffic and did not remove the general inbound rule, because it did not cause me any trouble at that time. I guess I will do some rework of the rules now.

    Many thanks for your help!


  • Rebel Alliance Global Moderator

    Yes this is valid if your hosting services that should only be available to people in say the US.  Prob simpler to use inbound firewall rule that only allows the traffic coming from US netblocks in your rules via an aliases, pfblocker is good at this if you just use it as aliases and not letting it mess with your rules.  Until its recent issues I was using it to limit access to my ntp server behind pfsense that is member of the pool.  But I don't really want or need queries from say china for my ntp that is only meant for North America, etc.  So I had a alias from pfblocker to only allow NA ip blocks.  And that was working great, but then pfblocker blew up with memory errors and such.  I think bcan has fixed it now, I hope but have not had chance to put it back in to test.

    If you want to block clients behind pfsense from going somewhere, sure that is fine too.  Those rules on your lan should not stop pfsense from doing dns resolving, etc.  So pfsense would be able to look up www.somedomaininchina.com.  But then the client wouldn't actually be able to go there, and you could log such firewall hits and see exactly which box behind pfsense was trying to go there and on what port, etc.

    If you want to post up your rules and what your wanting to accomplish we can for sure discuss best method of putting that into rules.