Looking for help setting up DNS



  • I'm trying to set up a firewall with pfSense 2.3.2-RELEASE-p1 (amd64) on a Xen VM, intended to take the place of a separate box running Linux and Shorewall (a front end to iptables).

    I'm having difficulty getting DNS to work.

    My LAN has a DNS (bind9) server configured for "split DNS", on an internal host (not the new pfSense firewall or the old Linux/iptables firewall).  When queried from inside my LAN, this internal DNS server responds with info relevant to my LAN (private IP addresses, etc.).  When queried from the Internet at large, the DNS server responds with public info.  This works just fine through my old (Linux/iptables) firewall.

    My old (Linux/iptables) firewall handles DNS queries as follows:

    • Queries coming from the Internet are redirected to the internal DNS server.

    • Queries coming from my LAN are handled by Bind9 on the firewall itself, which has slave copies of my internal DNS zones and forwards anything else to the regular internal DNS server.

    • Queries from my internal DNS server, directed to DNS servers on the Internet, are allowed through.

    • Queries from any other internal DNS server, directed to DNS servers on the Internet, are intercepted and processed by the firewall.  Thus, none of the hosts on my LAN are able to send DNS queries out to the Internet except for my own internal DNS server.

    Again, this all works just fine through my old (Linux/iptables) firewall.  However, I can't seem to get it working through my new, experimental pfSense firewall.  Basically, right now, no DNS queries can go through the pfSense firewall in either direction (from LAN to Internet, or from the Internet to the firewall's WAN address) — all such queries appear to be silently dropped by the pfSense firewall.

    Other rules configured on the pfSense firewall — including various NAT rules — seem to be working OK, so I'm confident there isn't a general Internet problem or anything like that.  The problem I'm having appears to be specifically related to DNS on pfSense.

    I can supply detailed configuration info if necessary, but before I do that, I'm wondering if there might be some "how-to" documentation explaining how to set all the various options which deal with DNS on a pfSense box.


  • LAYER 8 Global Moderator

    did you do a port forward for udp/tcp 53 to your nameserver?

    So your saying a box that uses pfsense as it gateway can not query a public dns, like google or open?  What are you lan rules on pfsense?

    Do a sniff on pfsense lan, do you see the query?  Sniff on pfsense wan do you see it go out..

    Your saying normal net traffic is working to say www.pfsense.org, etc.



  • I did some more tinkering with the DNS-related settings on my experimental pfSense firewall.

    Currently, both "DNS resolver" and "DNS forwarder" are disabled.  There are two DNS servers configured (two of my internal hosts).

    I have a WAN rule enabled which NAT-redirects any DNS queries from the Internet to one of my internal split-DNS servers.  Queries from the Internet are correctly receiving answers based on an external view (again, I have split DNS configured on my LAN's internal servers).

    On the LAN side, I currently have only one DNS rule – which "rejects" all DNS queries coming in via the LAN.  But even with only this DNS-related rule in effect, DNS queries are still making it from my local network through the pfSense box and out to the Internet (and answers to said queries are coming back as well).

    I enabled logging on this "reject all DNS packets from LAN" rule, but nothing appears to be getting logged.

    I SSH'ed to the pfSense box and did "pfctl -s all".  Here are the lines of output from "pfctl -s all" which contain the words "domain" and "xn0":

    block return in log quick on xn0 inet proto tcp from any to any port = domain label "USER_RULE: Reject other outbound DNS"
    block return in log quick on xn0 inet proto udp from any to any port = domain label "USER_RULE: Reject other outbound DNS"

    The above seems to say that any DNS queries arriving via the LAN interface (xn0) should be blocked/dropped, but as I said, such queries appear to be making it through.

    Any suggestions as to what I should try next?


  • LAYER 8 Global Moderator

    Post up this rule your created.  You can have a rule all day long that says lan block tcp/udp.  But if you forward into dns running on the lan, its answers would get back out because there is a state created when you forwarded.  With udp its not so much a state, but pfsense knows that it sent in a udp packet and responses should be allowed.

    So what you want to d is stop users on your lan from doing a query to 8.8.8.8..  Can you post your lan rules please.. Picture is much easier to read.



  • Are you asking for "screen grab" images of pages from the pfSense web GUI?  If so, exactly which pages should I be sure to include?

    Or is there some text file representation of a pfSense configuration which people prefer to use?  I'm new to pfSense, remember, so I may not be extremely familiar with what expert users of the software are accustomed to looking at.


  • LAYER 8 Global Moderator

    Yeah just screen shot of your lan rules



  • OK, here's a screen shot of my LAN rules.  Let me know if you want to see anything additional.



  • LAYER 8 Global Moderator

    Well for starters you rules that would allow abound access to dns is not even enabled.  That is why its grayed out.

    You rules are a mess to be honest.  What is that rule that says allow outside access smtp from memory / freedom suppose to do?  What it would do is allow outbound access from those IPs in your source alias.  Then your two rules below that would allow anything to talk to those dest IP on 25.

    Your ntp rule that to 10.0.229.197 not sure what that is suppose to do.. Is Where is this rfc1918 address?  I that your local lan?  Or another lan or wan of pfsense?  A tunnel?

    Your first rule blocking to spamhaus?  You have that backwards.. That rules says anything in that alias, can not go out your lan.. Why would those IPs be source IP INTO your lan interface?

    Rules are evaluated top down, first rule to trigger wins and no other rules are evaluated.  This is traffic INBOUND to your lan interface from your lan network.

    Your rule allowing smtp to office 365 servers.. Where did you get that netblock 132.245.0.0/16 while a MS network.. There is way more address than that for office365, etc.  While I see that would cover some of the 132.245 address here https://support.content.office.net/en-us/static/O365IPAddresses.xml  There is sure of a lot more!!!



  • Just for the moment, all I am really asking about is how DNS is being handled in my current firewall setup.

    In an attempt to simplify matters for the sake of debugging, I'm temporarily trying to reject all outbound DNS through this firewall — but even that doesn't seem to be working at all (all outbound DNS from my LAN is currently going through).  Can you help me figure that out?  Once I have this one thing working correctly, I do plan to go back and enable the other DNS rules, but not just yet.

    You made a very valid point about my "Spamhaus DROP list" rule, btw — my intent there was to keep anyone on my LAN from sending anything out to any address on the Spamhaus DROP list, and I'm going to fix that rule to put my "Spamhaus DROP list" alias as the destination instead of the source.  But again, what I'm really trying to get feedback on right now is DNS.  Why is all outbound DNS getting through this firewall right now, even though I thought I had temporarily disabled all outbound DNS rules except for one that I still have enabled that should reject everything?

    I would be grateful if you (or anyone else) could help me with this one issue for now.


  • LAYER 8 Global Moderator

    Do u have any rule in floating?  While yes your block to dns should be firing, I don't see any hits on it.  So is there a floating rule that would allow it, those would be processed before the lan rules.

    If you have a nat setup that nats all inbound to pfsense, and there is a firewall rule that would allow it.  That could be allowing it as well.  So while you have the firewall that is suppose to match up with your nat disabled, you do have a lan rule any any that would allow it.  So nats are processed first, and then look to see if any firewall rules allow the nat to actually happen.  your any any rule could allow it.

    But my first guess and place to look would be your floating tab.



  • I have no floating rules.

    I have a NAT rule which takes any DNS request incoming via my WAN interface and redirects it to a DNS server on my LAN.

    I had a NAT rule which would take any DNS request incoming via my LAN interface and redirect it to the pfSense firewall.  However, I have disabled this rule.

    In the status dashboard screen of the pfSense GUI, the "DNS server(s)" item lists two internal DNS servers (on my LAN).  Again, as I believe I mentioned earlier, both the "DNS Forwarder" and the "DNS Resolver" are disabled right now.

    I did an SSH into the pfSense firewall, and "netstat -rn | grep -w 53" shows nothing listening on the TCP/UDP domain service port.  Also, "ps ax" does not show any "dnsmasq" or "unbound" process running.

    I did "pfctl -s all", and here are all the entries mentioning the "domain" service (TCP/UDP port 53).  My WAN interface is 96.82.71.10 (gateway address is 96.82.71.14).  My LAN address range is 10.0.229.0/24; the host 10.0.229.173 in the stuff below is my internal DNS server.

    rdr on xn1 inet proto tcp from any to 96.82.71.10 port = domain -> 10.0.229.173
    rdr on xn1 inet proto udp from any to 96.82.71.10 port = domain -> 10.0.229.173
    pass in quick on xn1 reply-to (xn1 96.82.71.14) inet proto tcp from any to 10.0.229.173 port = domain flags S/SA keep state label "USER_RULE: NAT Redirect inbound DNS to Freedom"
    pass in quick on xn1 reply-to (xn1 96.82.71.14) inet proto udp from any to 10.0.229.173 port = domain keep state label "USER_RULE: NAT Redirect inbound DNS to Freedom"
    block return in log quick on xn0 inet proto tcp from any to any port = domain label "USER_RULE: Reject other outbound DNS"
    block return in log quick on xn0 inet proto udp from any to any port = domain label "USER_RULE: Reject other outbound DNS"

    It's been a very long time since I've worked with raw "pf" on a BSD box, but I would think the last two entries shown above (the "block return in" lines) would be stopping any DNS queries arriving on my LAN interface.  Hence my confusion on seeing that DNS appears to be passing through unchecked from my LAN to the Internet.

    I assume I'm probably doing something subtly wrong in the way I'm trying to specify DNS-related actions in several places (LAN rules, WAN rules, NAT, etc.).  What I'd really like to find is a "how-to" document describing best practices for DNS management in pfSense.  Does anyone know of such a document?


  • LAYER 8 Global Moderator

    Dude you sure your boxes are going to pfsense for outbound access?  And not going someone where else or asking something else?

    So I put in block dns rule.. You can then see when I query an outside dns, It gets rejected, you can see the reject come back from pfsense.  You can see pfsense shows in the firewall tab that this rule has triggered (yours shows 0/0) You can see that its logged.

    I would validate where your client is sending the traffic.  Sniff on the client validate the mac to where it sending to pfsense as its gateway?  This really is clickity clickity.  If  your not seeing hits to the rule, and getting answers.  Then either your going out somewhere else, asking something else than what you think your asking.  Or yeah something is messed up with pfsense?  Lets for 100% sure validate this traffic is going through pfsense.  So sniff on pfsense outbound.. Do you see your query go out??

    So you see here my query gets denied, you see pfsense sends the reject.  This is sniffing right on the box sending the query to 8.8.8.8..

    You can see pfsense logs this, because the rule was triggered and I said to log it.

    I then undo the rule and send a specific query to outside dns again 8.8.8.8 and sniff on pfsense wan.. You can see it go out, because its suppose to.  So while your saying your clients can query outside, lets validate that.. Lets send a query, sniffing and see exactly how its getting an answer.  Unless you have some other rule allowing the traffic or redirecting the traffic this really is clickity clickity its blocked.








  • Thanks.  I'm going to rebuild my pfSense box and set up my rules all over again from scratch.  Hopefully whatever strange problem I created the first time will mysteriously vanish when I redo everything.


Log in to reply