Strict Whitelisting on a satellite connection and only 1GB traffic/month

waldimort

Hi
I am using a pfsense firewall on a vessel.
Pfsense is attached to a sat-router which basically allows everything for the pfsense.

The pfsense rules restrict the internet to only a few websites and services, such as teamviewer, email etc.

The Win10 clients have simplewall installed and I was shutting them up with that O&O tool. At least I thought I would have done.
The monthly included traffic volume in our provider's plan includes only 1GB/month.
So Windows update is of course blocked on the clients and on the pfsense.
However DNS is required for Teamviewer and other services.
I found out that the vessel used up more than 100MB on one day.

I think the vessel is set up to use DNS forwarder.
Traffic:
microsoft.com 44MB
10.155.124.179 Googlecloud 37MB
DNS 27MB
DNS.Windowsupdate 24MB
DNS.microsoft 24MB
PFSENSE.org 8MB
ICMP 7MB
Unknown 7MB
Etc… with low consumption

If I block for example on top of the rules list “10.155.124.179 Googlecloud”, will DNS still work if one of googles dns servers is used?

How can I efficiently reduce the traffic? Is somehow caching possible, so the same DNS queries are repeatedly sent over the internet?
I did not find much about that problem, probably because most admins do not care about a GB of traffic.
Would be thankful for any hint.

netblues

10.0.0.0/8 is private and not usable on the Internet.
Perhaps your sat isp is doing some nat tricks, but you need to find out what 10.155.124.179 really is.
For pfsense, I suspect its the version check
You can disable this in system update settings.
As for dns, in services, dns resolver
https://docs.netgate.com/pfsense/en/latest/book/services/dns-resolver-advanced.html
look at Minimum TTL for RRsets and Messages
This does exactly what you requested.
But it could be other things too that cause traffic.
You need to do some network sniffing for such strict control

waldimort

Thanks for quick answer.
I changed from forwarder to resolver again. (Was having trouble with resolver back then when I set up the system: DNS not working)

I set minimum to 1 day
maximum to 5 days and changed the storage from 4MB to 250MB
Not sure if that makes sense.
Since we have only few websites I would even put in all important translations manually if necessary.

waldimort

I found out that simplewall was deactivated, too...

waldimort

One day after changing to DNS Resolver, DNS is not working anymore, including hostnames of the pfsense or the Sat-Router hostnames.

Any suggestions where I can check ? Right now I can only send config files via mail or guide the captain via satphone ;(

netblues

You should realy check if resolver is actually able to resolve :)
There are two ways for a resolver to work
One is by quering the dns system root servers, and following the tree with recursion and the
second would be to use forwarding, meaning all requests go to a designated dns which handles everything
In a highly managed scenario such as sat access, the latter should be the only option
Please check

DNS Query Forwarding
Enable Forwarding Mode If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).

in dns resolver settings

And you really need a test environment for this.
Its very easy to lock yourself out while "optimising" things.
And in the middle of the ocean there aren't many alternatives too.