DNS setting and redirection

mikekoke · Jun 20, 2018, 6:55 PM

Hi,
I would have some doubts about the DNS configuration and I would like some advice on the configuration, I followed the following guide to redirect the DNS traffic to the pfsense box (https://www.netgate.com/docs/pfsense/dns/redirecting-all-dns-requests-to-pfsense.html), if I'm not mistaken this also serves other services like pfblockerng and squid proxy to filter. But then I would like the traffic to be resolved by an external dns like 1.1.1.1 which is set in System-> General Setup and in the meantime block the dns not set in General Setup.

TheNarc · Jun 20, 2018, 7:31 PM

@mikekoke In System > General Setup > DNS Server Settings, specify the external DNS server(s) that you ultimately want to use (like 1.1.1.1 in your example). Make sure that the "Allow DNS server list to be overridden by DHCP/PPP on WAN" and "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" check boxes are NOT checked. Then in Services > DNS Resolver check the box next to "Enable Forwarding Mode." I'm pretty sure that this will achieve the behavior you described. The resolver will be running in forwarding mode, so it will forward any DNS requests to the DNS server(s) that you configured in System > General Setup > DNS Server Settings. Any clients on your LAN attempting to use different DNS servers will be caught by your port forward rule and redirected to 127.0.0.1, and because you have the "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" setting disabled, this will go through the resolver, which as we stated earlier is already configured to forward to only the DNS server(s) that you configured.

mikekoke · Jun 20, 2018, 7:56 PM

@thenarc said in DNS setting and redirection:

@mikekoke In System > General Setup > DNS Server Settings, specify the external DNS server(s) that you ultimately want to use (like 1.1.1.1 in your example). Make sure that the "Allow DNS server list to be overridden by DHCP/PPP on WAN" and "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" check boxes are NOT checked. Then in Services > DNS Resolver check the box next to "Enable Forwarding Mode." I'm pretty sure that this will achieve the behavior you described. The resolver will be running in forwarding mode, so it will forward any DNS requests to the DNS server(s) that you configured in System > General Setup > DNS Server Settings. Any clients on your LAN attempting to use different DNS servers will be caught by your port forward rule and redirected to 127.0.0.1, and because you have the "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" setting disabled, this will go through the resolver, which as we stated earlier is already configured to forward to only the DNS server(s) that you configured.

Thanks for the reply,
what you described has already been done, moreover as I said I wrote a forwarding rule as in the link. Did I do well or should I take it off?

edit:
I forgot to mention that I looked at the states and I can not understand one thing:

LAN udp router_wan_ip: 50659 -> 127.0.0.1:53 (8.8.8.8.83)

WAN udp pfsense_wan_ip: 63863 -> 8.8.4.4:53

Why does the lan interface use 8.8.8.8 when setting 8.8.4.4?

TheNarc · Jun 20, 2018, 8:27 PM

@mikekoke From what I can tell, you should have everything configured the way you want it. However, I don't have an answer for why 8.8.8.8 is being used if you don't have it configured anywhere. It inspired me to check the states on one of my own pfSense machines and I saw multiple DNS queries to both 8.8.8.8 and 8.8.4.4 coming from a Roku on my network. It could be that you have one or more devices on your LAN that override any DNS servers they are assigned with Google's. I'm not super familiar with the notations used in the display of states, but based on what you pasted, I would guess that the request to 8.8.8.8 is being redirected to 127.0.0.1, per your NAT port forward, and subsequently sent out via the DNS server you specified (8.8.8.4).

I did notice, though, that (8.8.8.8.83) makes no sense to me. Did you paste that directly, or could this be a typo? I would expect that to be (8.8.8.8:53).

lohphat · Jun 20, 2018, 8:39 PM

@thenarc I have DNS restricted on my network to only allow the gateway (which DHCP specifies) and I still see 8.8.8.8 requests from my google home device (not surprising).

Many IoT devices have their DNS settings hard-wired.

mikekoke · Jun 20, 2018, 8:45 PM

@thenarc said in DNS setting and redirection:

@mikekoke From what I can tell, you should have everything configured the way you want it. However, I don't have an answer for why 8.8.8.8 is being used if you don't have it configured anywhere. It inspired me to check the states on one of my own pfSense machines and I saw multiple DNS queries to both 8.8.8.8 and 8.8.4.4 coming from a Roku on my network. It could be that you have one or more devices on your LAN that override any DNS servers they are assigned with Google's. I'm not super familiar with the notations used in the display of states, but based on what you pasted, I would guess that the request to 8.8.8.8 is being redirected to 127.0.0.1, per your NAT port forward, and subsequently sent out via the DNS server you specified (8.8.8.4).

I did notice, though, that (8.8.8.8.83) makes no sense to me. Did you paste that directly, or could this be a typo? I would expect that to be (8.8.8.8:53).

Sorry i was wrong to write, it was (8.8.8.8.83).
However, if I understand correctly the DNS requests are all redirected to 8.8.4.4 right?

TheNarc · Jun 20, 2018, 8:47 PM

@mikekoke From what you pasted, I believe so. Is that your expectation? Is 8.8.4.4 the only DNS server that you specified in General Settings?

mikekoke · Jun 20, 2018, 9:03 PM

@thenarc said in DNS setting and redirection:

@mikekoke From what you pasted, I believe so. Is that your expectation? Is 8.8.4.4 the only DNS server that you specified in General Settings?

The target is to direct all the dns requests to pfsense in order to filter the url through pfblockerng and squid proxy and finally send the requests to the set dns
As dns I configured 8.8.4.4 (this is because 8.8.8.8 is not responding and from the LAN I can not ping it) and then 1.1.1.1 and 1.0.0.1

mikekoke · Jun 20, 2018, 9:07 PM

@lohphat said in DNS setting and redirection:

@thenarc I have DNS restricted on my network to only allow the gateway (which DHCP specifies) and I still see 8.8.8.8 requests from my google home device (not surprising).

Many IoT devices have their DNS settings hard-wired.

All devices are configured to receive DNS from the router's DHCP

TheNarc · Jun 20, 2018, 9:21 PM

@mikekoke So it sounds like things are working as you would expect then? I don't see any further issue.

mikekoke · Jun 20, 2018, 9:27 PM

@thenarc said in DNS setting and redirection:

@mikekoke So it sounds like things are working as you would expect then? I don't see any further issue.

Yes, but it is strange that the dns 8.8.8.8 is used and that the LAN can not ping the same dns

TheNarc · Jun 20, 2018, 9:50 PM

@mikekoke I don't think that 8.8.8.8 is being used. The output you provided looked to me as if some device on your network is trying to use 8.8.8.8, but the port forwarding rule you made is redirecting 8.8.8.8 to 127.0.0.1, and ultimately the request is being made to 8.8.4.4. I don't know why you'd be able to ping 8.8.4.4 and not 8.8.8.8 though.

mikekoke · Jun 21, 2018, 2:29 AM

@thenarc said in DNS setting and redirection:

@mikekoke I don't think that 8.8.8.8 is being used. The output you provided looked to me as if some device on your network is trying to use 8.8.8.8, but the port forwarding rule you made is redirecting 8.8.8.8 to 127.0.0.1, and ultimately the request is being made to 8.8.4.4. I don't know why you'd be able to ping 8.8.4.4 and not 8.8.8.8 though.

I found a device with the dns setting on 8.8.8.8, when I removed the setting even the states related to that dns were removed.

TheNarc · Jun 21, 2018, 2:29 AM

@mikekoke Well if a device is set to use 8.8.8.8 as a DNS server, you're going to see that in the states. But just seeing it in the states doesn't mean that pfSense is allowing it to use 8.8.8.8. It's saying "This client asked to do a DNS query to 8.8.8.8, but I'm redirecting that query to 127.0.0.1 since you told me to." And from there, unbound (the DNS resolver) takes over and forwards it to 8.8.4.4 since you configured it for forwarding mode.

mikekoke · Jun 21, 2018, 11:37 AM

@thenarc said in DNS setting and redirection:

@mikekoke Well if a device is set to use 8.8.8.8 as a DNS server, you're going to see that in the states. But just seeing it in the states doesn't mean that pfSense is allowing it to use 8.8.8.8. It's saying "This client asked to do a DNS query to 8.8.8.8, but I'm redirecting that query to 127.0.0.1 since you told me to." And from there, unbound (the DNS resolver) takes over and forwards it to 8.8.4.4 since you configured it for forwarding mode.

Thanks again for the clarification is just that I use Pfsense still recently and with some things I still have problems.