Finding devices with hardcoded DNS

gniting · Mar 14, 2019, 2:23 AM

I've set up a NAT redirect rule to capture/redirect all outbound DNS traffic to my internal DNS server. pfSense automatically added a firewall rule as well. The question now is how do I find what devices are the offending ones? There's nothing in my firewall logs that could give me a hint. Even when I hardcode a DNS entry on one of my devices, there's still nothing in the firewall logs. Should I assume the NAT redirect rule is not working?

Thanks

elvisripley · Mar 14, 2019, 2:23 AM

@ibbetsion If you just want to find them you could make a rule to block TCP/UDP to port 53 on addresses that aren't the router and see what shows up in the logs.

I just did this redirect and didn't see any entries for my redirected dns.

I confirmed it was being redirected using https://www.dnsleaktest.com

Here are my records that showed up when I moved the firewall block rule to the top of the LAN rules.

gniting · Mar 14, 2019, 8:15 AM

@elvisripley Thank you for that invaluable insight. I was able to make a few tweaks based on your guidance (caused lightbulbs to go off in my head!) and I am now able to see the queries!