Traffic incorrectly going to various other DNS servers



  • Recently I have noticed a lot of traffic going to unusual NS servers.  Maybe it has been doing this all along and I just noticed.
    This is a typical entry in the firewall of perhaps a dozen different servers, and there seems to be a LOT of requests and they are made frequently and continually - dozens/minute.  I have not yet discovered which client is making these requests, most seem to go to various Amazon NS servers.

    Nov 22 12:32:27 	► WAN 	x.x.x.x:47017		205.251.197.105:53
    ns-1385.awsdns-45.org		UDP 
    

    I don't know if I have a configuration error or not.

    I do not run a dns server.  pfSense is named pfsense.firewall.localdomain
    I am using DNS resolver.
    My SG2440 is up to date and DNS is configured for (2) opendns and (2) google servers.

    Is this typical behavior that I have failed in the past to notice?  Other than writing a rule, is there a setting I can change can I make to limit these queries?


  • Banned

    Uhm. Unbound is a recursive resolver. It won't forward anything to OpenDNS/Google unless set up as forwarder.



  • OK, I'll look into that.

    Now I'm wondering what difference it makes.  Something here is making dns requests.  Maybe it is ad's in a browser page.  If I force dns to OpenDNS/Google I suppose it isn't going to reduce the traffic and therefor maybe I should just accept it.

    I'm still looking for the source of these requests.


  • Banned

    @JonH:

    I'm still looking for the source of these requests.

    Hmmm? Any client that's using the pfSense resolver as a DNS server will generate those queries. The settings in System - General are normally ONLY used by the firewall itself.



  • OK.  I did not know that the resolver mode bypassed the configuration in System->General.  A few hours ago I enabled forwarding mode in the resolver and now all the traffic is going via the DNS defined in System settings.

    All that said, I don't see any advantage to the resolver being in forwarding mode and will uncheck it unless I find something to change my mind.  I'm still reading stuff to get a better understanding.  Before now the dns queries in the log confused me because I thought they went through the System settings and thought I had some sort of problem because the queries were going direct to other DNS servers.

    Thanks for the feedback, it has helped me better understand what I'm seeing.



  • You may also prevent a device in your network interrogate an unwanted DNS, adding these two rules in the Firewall LAN tab.
    In your case the first rule should contain as destination an alias with the DNS addresses you want to authorize.

    ![locked DNS.png](/public/imported_attachments/1/locked DNS.png)
    ![locked DNS.png_thumb](/public/imported_attachments/1/locked DNS.png_thumb)



  • Thanks, I was thinking of doing something like that but then in the Resolver General Settings I found this setting and merely checking the "Enable Forwarding Mode" took care of it.  All of my DNS queries are now being handled by OpenDNS/Google



  • you're welcome, however with those rules you can prevent the effects of changing the DNS directly on the user's devices ;)