Finding devices with hardcoded DNS



  • I've set up a NAT redirect rule to capture/redirect all outbound DNS traffic to my internal DNS server. pfSense automatically added a firewall rule as well. The question now is how do I find what devices are the offending ones? There's nothing in my firewall logs that could give me a hint. Even when I hardcode a DNS entry on one of my devices, there's still nothing in the firewall logs. Should I assume the NAT redirect rule is not working?

    Thanks



  • @ibbetsion If you just want to find them you could make a rule to block TCP/UDP to port 53 on addresses that aren't the router and see what shows up in the logs.

    I just did this redirect and didn't see any entries for my redirected dns.

    I confirmed it was being redirected using https://www.dnsleaktest.com

    Here are my records that showed up when I moved the firewall block rule to the top of the LAN rules.

    0_1552530185073_Screen Shot 2019-03-13 at 9.18.47 PM.png



  • @elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!


Log in to reply