LAN DNS issue



  • Dear all,
    on the LAN side we have allowed
    dns,https,http,SMTP for outgoing,
    dns is allow from lan net to any however after the the rules are applied the users can't browse to the internet but we can ping 8.8.8.8 and not www.google.com

    we have a internal dns server running behind the pfsense and pfsense is the forwarder of the active directory .
    internal LAN DNS is the active directory and active directory using pfsense as forwarder.

    any suggestions why is this not working ?


  • LAYER 8 Global Moderator

    "any suggestions why is this not working ?"

    Did you do a simple query to validate pfsense is answering your query from your forwarder your using?  simple dig or nslookup or drill or host command to pfsense IP that your forwarding too will tell you if your able to query for outside dns.

    Is unbound or the forwarder running on pfsense - going to need something to either forward on or resolve for you if your going to have your local dns forward to it for www.google.com..



  • @johnpoz:

    "any suggestions why is this not working ?"

    Did you do a simple query to validate pfsense is answering your query from your forwarder your using?  simple dig or nslookup or drill or host command to pfsense IP that your forwarding too will tell you if your able to query for outside dns.

    Is unbound or the forwarder running on pfsense - going to need something to either forward on or resolve for you if your going to have your local dns forward to it for www.google.com..

    thank you for your help,
    I managed to get the rules configured however I notice the dns request is slow than if I use the rules any to any.
    see attached screen of my lan rules
    also we have now allowed port 25 on the whole network, I want to lock this down and allow only the devices that needs the port 25.
    do I have to create a outgoing rules for each devices using port 25 ? see screenshots two,
    is the rules corrects to allow only the device 10.10.2.16 to send out using port 25 ?

    thank you for your help

    ![Screen Shot 2017-05-02 at 02.17.43.png](/public/imported_attachments/1/Screen Shot 2017-05-02 at 02.17.43.png)
    ![Screen Shot 2017-05-02 at 02.17.43.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-02 at 02.17.43.png_thumb)
    ![Screen Shot 2017-05-02 at 02.45.03.png](/public/imported_attachments/1/Screen Shot 2017-05-02 at 02.45.03.png)
    ![Screen Shot 2017-05-02 at 02.45.03.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-02 at 02.45.03.png_thumb)


  • LAYER 8 Global Moderator

    Why would you need your lan to talk outbound on 25 or 465 to the whole internet? Do you not run an internal mail server?

    Rules are not slow.. have no idea what you mean by slow if any any.. Its not going to take longer to evaluate if the source is any vs if the source is limited to lan net..  If your worried about locking down, why do you allow anything other than your internal dns to use dns?  And if they are just forwarding to pfsense, why do you have it open to any?



  • @johnpoz:

    Why would you need your lan to talk outbound on 25 or 465 to the whole internet? Do you not run an internal mail server?

    Rules are not slow.. have no idea what you mean by slow if any any.. Its not going to take longer to evaluate if the source is any vs if the source is limited to lan net..  If your worried about locking down, why do you allow anything other than your internal dns to use dns?  And if they are just forwarding to pfsense, why do you have it open to any?

    Good Catch thank you John,
    I haven't seen it. we don't use a mail server, all our mails is office 365.
    I have changed the LAN DNS to listen only to the DNS server ( active directory ) and it does makes sense of course.
    is. the attached screenshots correct configured to allow dns only to the dns server 10.10.2.3 ? thank you
    there are some printers they use port 25 for scans and sometimes port 465 as does office 365 that why I allow it on the net.
    removing the smtp/s ports from the outgoing would still allow the users to send the emails using their office 365 outlooks ?

    thank you so much

    ![Screen Shot 2017-05-02 at 13.57.16.png](/public/imported_attachments/1/Screen Shot 2017-05-02 at 13.57.16.png)
    ![Screen Shot 2017-05-02 at 13.57.16.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-02 at 13.57.16.png_thumb)


  • LAYER 8 Global Moderator

    Why do you not just lock it down to the lan IP of pfsense as dest?  That rule allows your dns server to talk to anything outbound on 53.. If its forwarding to pfsense that is over open.  Security 101 is always min permissions required.

    As to locking down to sending mail to office365 why not lock it down to only the ports and dest IPs of office365, they have lists of their netblocks.

    https://support.office.com/en-us/article/POP-and-IMAP-settings-for-Outlook-Office-365-for-business-7fc677eb-2491-4cbc-8153-8e7113525f6c

    They do not use 25 from this article.

    https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2
    This is a list of urls and IPs that are required to use the different aspects of office365



  • Thank you for your answer John,
    can you help me configure this.
    the steps are as next :

    create a Alias of smtp.office365.com.
    create a Lan Pass rule , Source Lan NET, destina singel host or Alias to smtp.office365.com Submission port .
    is this the correct way of doing so ?

    also a strange behaivor just happens, from the lan i can ping the devices that are connected, but i can't ping the internet 8.8.8.8 or the pfsense box it self.
    the default gateway of the DHCP is the pfsense it self .

    thank you


  • LAYER 8 Global Moderator

    well do you have icmp open?  If not then no your not going to be able to ping anything ;)

    I wouldn't use an alias to a fqdn that can change all the time.  Just use the netblocks listed in the article listed too.



  • @johnpoz:

    well do you have icmp open?  If not then no your not going to be able to ping anything ;)

    I wouldn't use an alias to a fqdn that can change all the time.  Just use the netblocks listed in the article listed too.

    ICMP is open from LAN Net to WAN net and its responding now.
    now the DNS is open from LAN net to any is this not the correct way or have to change it ?
    now the DNS  rules is Source LAN net Destination * port 53 udp its works the ping and I can nslookup,
    when I change the destination to the active directory IP the ping to the internet stops working so does browsing too


  • LAYER 8 Global Moderator

    Any time you have some question of your rules - post them..

    As to dns open to any.. My lan is any any to all.. I have no specific rules.  Your rules are what you want them to be.. Do you want all your devices on lan to be able to query any dns anywhere?  Or just ask pfsense for dns?

    "when I change the destination to the active directory IP"

    What?


Log in to reply