Outbound DNS resolution
-
I am in the process of replacing an older Sonicwall firewall with a PFSENSE firewall. The config is fairly simple, other than the fact that I am not running NAT - all of the LAN IP's are pubic. NAT is set to manual and all default NAT policies were deleted. No DMZ. And I am running my own DNS server which is on the LAN with a public IP. The default LAN firewall rule allowing all IPv4 traffic out is in place. I also have SNORT installed.
I hooked up the pfsense firewall. Most traffic appeared to be going in and out. EXCEPT - the firewall log shows blocked traffic originating from the DNS server on the LAN going out to external DNS servers (for resolution) on UDP port 53. For the life of me, I do not understand why this outbound traffic is being blocked when all IPv4 traffic is permitted out. As a result, DNS resolution is not working on the LAN.
The rub is I cannot leave the firewall connected when not in use since it is mimicing the sonicwall it will replace and therefore has the same WAN and LAN ethernet IP addresses. So I can't go into pfsense to troubleshoot and test without again disconnecting the SW and reconnecting the pfsense, which are all in the datacenter. So any questions someone may have for me, I will need to either answer from memory or go to the datacenter to try and respond later.
I suspect now, hours after trying this at 3am last night, is that a snort DNS rule got triggered by the remote DNS resolver (AOL's DNS server is an example), which caused that destination IP to get inserted into the firewall block list. But I am uncertain how snort integrates with pfsense - when snort blocks something, would it then cause all future identical traffic to show in the firewall log as blocked traffic? or would it only show in the SNORT logs?
Appreciate anyone's help as I struggle through learning the nuances of pfsense.
-
You probably need to post your rules. If it was configured as you say the traffic would be being passed.
Also, clicking the red X in the firewall logs on a block entry will tell you which rule blocked it. That could be snort hitting on something. You might want to disable snort blocking and just watch the alerts for a while.
-
Thanks. I do have a feeling it's snort. I was surprised to see AOL's DNS server (as well as a bunch of others) tripped snort DNS rules. I will re-visit the datacenter over the weekend, hookup a lappy and pull that log and see what tripped the block.