Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound DNS resolution

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sdesort
      last edited by

      I am in the process of replacing an older Sonicwall firewall with a PFSENSE firewall. The config is fairly simple, other than the fact that I am not running NAT - all of the LAN IP's are pubic. NAT is set to manual and all default NAT policies were deleted. No DMZ. And I am running my own DNS server which is on the LAN with a public IP. The default LAN firewall rule allowing all IPv4 traffic out is in place. I also have SNORT installed.

      I hooked up the pfsense firewall. Most traffic appeared to be going in and out. EXCEPT - the firewall log shows blocked traffic originating from the DNS server on the LAN going out to external DNS servers (for resolution) on UDP port 53. For the life of me, I do not understand why this outbound traffic is being blocked when all IPv4 traffic is permitted out. As a result, DNS resolution is not working on the LAN.

      The rub is I cannot leave the firewall connected when not in use since it is mimicing the sonicwall it will replace and therefore has the same WAN and LAN ethernet IP addresses. So I can't go into pfsense to troubleshoot and test without again disconnecting the SW and reconnecting the pfsense, which are all in the datacenter. So any questions someone may have for me, I will need to either answer from memory or go to the datacenter to try and respond later.

      I suspect now, hours after trying this at 3am last night, is that a snort DNS rule got triggered by the remote DNS resolver (AOL's DNS server is an example), which caused that destination IP to get inserted into the firewall block list. But I am uncertain how snort integrates with pfsense - when snort blocks something, would it then cause all future identical traffic to show in the firewall log as blocked traffic? or would it only show in the SNORT logs?

      Appreciate anyone's help as I struggle through learning the nuances of pfsense.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You probably need to post your rules. If it was configured as you say the traffic would be being passed.

        Also, clicking the red X in the firewall logs on a block entry will tell you which rule blocked it. That could be snort hitting on something. You might want to disable snort blocking and just watch the alerts for a while.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          sdesort
          last edited by

          Thanks. I do have a feeling it's snort. I was surprised to see AOL's DNS server (as well as a bunch of others) tripped snort DNS rules. I will re-visit the datacenter over the weekend, hookup a lappy and pull that log and see what tripped the block.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.