Strange DNS querys on wrong WAN.

mrzaz · Sep 18, 2016, 9:08 AM

Hello,
I have a strange behaviour that I can't figure out what it originates from.

I have 3 WAN, where WAN3 is going through a mobile broadband dongle.

WAN1 is the main outoing, but WAN2 is used, by rules, for outgoing from some machines. (outgoing loadbalancing)
WAN3 is not set as default and do not have any rules pointing traffic to this interface. (at the moment)

I have DNS Forwarder setup and 2 DNS IPs defined pointing to WAN1 under general.
I have checked and only dnsmasq and NOT unbound is enabled. (unbound is not even in the service table as it is switched off)

I also have the following:
DNS Query Forwarding
Query DNS servers sequentially = TRUE
(If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel.)

According to this, only the DNS servers defined should be queryd and NOT root server 8.8.8.8

BUT, what I see when doing packet capture is that something still generates DNS traffic from the pfSense WAN3 IP to google root DNS 8.8.8.8
and I can not figure out what and also HOW as it should not be possible depending how pfsense is configured.

Anyone that have any idea on HOW and WHY this requests goes out and from WHAT ?

I run pfSense 2.3.2

Dan Lundqvist
Stockholm, Sweden

Derelict · Sep 18, 2016, 9:47 AM

Is 8.8.8.8 set as the monitor IP address for the WAN3 gateway?

What is the output from this in Diagnostics > Command prompt

netstat -rn | grep 8.8.8.8

mrzaz · Sep 18, 2016, 12:10 PM

@Derelict:

Is 8.8.8.8 set as the monitor IP address for the WAN3 gateway?

What is the output from this in Diagnostics > Command prompt

netstat -rn | grep 8.8.8.8

Yes.

8.8.8.8 192.168.95.1 UGHS ue0

Don't mind the private address. Just a workaround to circumvent the HiLink router in the dongle.
I have it setup to Disable firewall and enabled DMZ between dongle and pfsense. (.1 = dongle and .2 = pfSense interface.)

The DNS lookups that I see, looks very much like traffic originated from an Windows machine on the LAN. (not anything from the pfSense iteself)
To various URLs and also PTR reverse lookups and stuff.

And as said, I do not have any DNS defined in general pointing to WAN3.

I have normal ARPs and also some SSDP but these are normal and local, and can be ignored. (and filtered out. at least SSDP)
But the DNS will go out through the mobile connection = eat on MaxAggregatedBandwidth/month for the subscription.

I could find that there is one machine on the LAN that does direct 8.8.8.8 lookups (and also looks to have similar kinds of lookups as seen on WAN3),
HOWEVER as the WAN3 is not default GW so it should not route that DNS traffic out on WAN3 but on WAN1 as this is the default GW.
Strange.

//Danne

Derelict · Sep 18, 2016, 8:24 PM

That will send everything for 8.8.8.8 out that specific interface. It is probably the result of network clients being hard-set to use that for DNS.

I don't think there's anything you can do besides:

1. Not use it as a monitoring IP address

2. Block DNS queries to that address from that LAN.

3. Forward DNS queries to that address to your preferred DNS.