Running DNS Responder for LAN, and DNS Firewall for guest network
-
Perhaps someone else might find this useful. I have been retrofitting my network with pfSense and wanted to use the DNS Responder for my private network, and keep DNS Responder away from the guest network so that guest hosts cannot see private names advertised for the private network.
With DNS Responder running, I think the pfSense server is advertised as the Name Server even on DHCP leases obtained in the guest network. I restricted the DNS Responder to only listen on the private network, leaving the guest network with no working DNS service.
The solution that I have right now is to run the DNS Forwarder, but only have it listen to port 51 on localhost only. Then on the guest network interface, I set up a NAT port forward from the port 53 on the guest network interface to port 51 on localhost.
This seems to work ok.
Are there any other configurations that might work in this scenario?
-
Hi,
Just a question : why hiding device names - and thus IP address ?
With some basic firewall rules they can't access your LAN anyway. -
The way to block guest access to your LAN is by security (rules). Security by obscurity (hiding your hosts) is never a good or even safe way to do it.
-
Thanks for your suggestions. My configuration includes firewall rules to keep the guest network traffic off the private network.
I'm thinking that if the DNS Responder is listening on both networks, and responsive to both. I was seeking to improve that isolation. Keeping the DNS Responder off the guest network provides a some improvement by reducing the attack surface (ie guests cannot attack DNS Responder). Furthermore I do not wish to publish any private information on the guest network.
The DNS Resolver options "General DNS Resolver Options"/"Network Interfaces" already provides a way to keep the resolver off the guest network interface, though I do wonder if it just does not listen on that interface or whether it listens, receives, then discards. Even if the latter though, some firewall rules can enforce this.
What I would prefer is for the upstream DNS server by provided to the guest network hosts directly (via DHCP), obviating the need for pfSense to serve any DNS requests (whether it be on the DNS Responder or DNS Forwarder) at all from the guest network.
On the DHCP server page there is: "Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page."
I want to enable the DNS Resolver so that I can use it on the private network. This has the side effect of advertising the pfSense IP address as the DNS server on the guest network.
Is there a way to have the DHCP server propagate the upstream DNS server (which was in turn obtained by DHCP) to the guest network in this case?
-
Yeah. Enter the DNS servers in the DHCP server for the guest network.
Then block access to the local DNS servers using guest network interface rules.
-
Enter the DNS servers in the DHCP server for the guest network.
The IP address of the upstream DNS server is only known when the DHCP lease is obtained on the WAN network.
Is there a way to indicate that this address should be used when naming the DNS server for the guest network?
-
Then set up your own DNS servers or tell them to use one of the many free DNS servers whose addresses never change.
Google
8.8.8.8
8.8.4.4Level3
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6OpenDNS
208.67.222.222
208.67.220.220Quad9
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9 -
"The IP address of the upstream DNS server is only known when the DHCP lease is obtained on the WAN network."
Huh… Your saying ISP changes the IPs of their name servers? Or they hand out a pool of them so that you might get A and B today, but if you get new IP tmrw you get C and D, then maybe next week you are back to A and B? Or B and D? Or does the IP they hand out change per netblock your on from the ISP and you can not query their other servers when on a different netblock?
Seem odd that a ISP would change the IPs of the dns they run for their clients.. Having a hard time understanding a use case for doing such a thing? Or is it you just don't know what your ISP dns IPs are?
Either way Derelict listed many of the most popular dns you could use for your guest clients.
-
Yeah. You might get the ISP DNS server dynamically but I would bet if you CALLED THEM AND ASKED they could give you a list of addresses to use.
