Thousands of outgoing DNS(?) blocked per hour



  • I've been running pfsense with pfBlockerNG for about 8 months now. I've been keeping a close eye on it and learning a lot, and I am familiar with the typical behavior of my network. The current configuration is about 2 weeks old and has been running perfectly for that time.

    My system is laid out like this: modem > pfsense hardware firewall > router running freshtomato > all other network devices. The router is configured to send ALL DNS queries to the pfsense firewall.

    Typically there are maybe 5 IPs blocked per day by pfBlockerNG, most if not all of those are inbound.

    This morning I log in to pfsense and notice there are hundreds of outbound blocks in pfBlocker, all of them from (what appear to be) random ports on my router, going to 8.8.8.8:853 or :53. After a few minutes it's over 3,500 and continues to climb rapidly. My download speeds seem to be slower than usual. The pfBlockerNG rule that's blocking them is ISC_1000_30_v4.

    I enabled logging of everything in the router, but nothing is going out to 8.8.8.8.

    Again, this is way out of normal behavior for my network.

    Does my network have an infected device?

    Thanks,



  • https://en.wikipedia.org/wiki/Google_Public_DNS
    8.8.8.8 in one of the Google Public DNS

    So you may have a Device using it for DNS service,
    That may be the Server your Firewall / pfBlockerNG / Alerts / Alert Settings is configured to use for CNAME lookup.



  • @RonpfS I made sure everything is pointed to my router for DNS, and it in turn obtains DNS from the pfsense box. One of the reasons for going to pfsense was to prevent anything from going to google. Anyway, it hasn't done this since I installed pfsense.



  • Identify the IP address making the requests to 8.8.8.8 over ports 53 and 853. Should be able to do that by looking at your firewall log (not the pfBlocker log). Filter on destination IP and/or port to make it easier to see the host that is attempting the lookups.

    If you have a double-NAT situation with that router you are talking about, then things will get tougher when identifying the local host making the outbound requests.

    You really should consider taking that router out of the path and letting pfSense do everything. If you need the router for wireless, then see about converting it to simple AP mode. Most can be reconfigured to do this. Let pfSense do DHCP, routing and NAT.



  • @bmeeks Thanks for the reply.

    I've configured the router to log everything that's allowed out. I haven't applied filters, but searching the log for 8.8.8.8 or "google" finds nothing, (seemed faster that way).

    Edit: It was by looking at the pfsense firewall that I can see it's coming from my router. No other device seems to be associated with this.

    Update: the repeated blocks to 8.8.8.8 seems to have stopped now. The only potential correlation I see is it seems to have stopped about the time I updated Firefox.

    Update 2: Spoke too soon: pfBlockerNG still blocking attempts by the router to 8.8.8.8. I note these are coming from random ports on the router.

    Otherwise everything appears to be working normally.

    Very strange.



  • @bmeeks said in Thousands of outgoing DNS(?) blocked per hour:

    You really should consider taking that router out of the path and letting pfSense do everything. If you need the router for wireless, then see about converting it to simple AP mode. Most can be reconfigured to do this. Let pfSense do DHCP, routing and NAT.

    I might have to do that, and I know my router can be configured for AP mode. Something new to learn....

    Thanks.


  • LAYER 8 Global Moderator

    @py said in Thousands of outgoing DNS(?) blocked per hour:

    and I know my router can be configured for AP mode

    Every single wifi router in the world can be used as just an AP.. Disable its dhcp server and connect it to your network via one of its lan ports = AP!



  • @py said in Thousands of outgoing DNS(?) blocked per hour:

    @bmeeks said in Thousands of outgoing DNS(?) blocked per hour:

    You really should consider taking that router out of the path and letting pfSense do everything. If you need the router for wireless, then see about converting it to simple AP mode. Most can be reconfigured to do this. Let pfSense do DHCP, routing and NAT.

    I might have to do that, and I know my router can be configured for AP mode. Something new to learn....

    Thanks.

    It all seems to be coming from your router because it is performing another NAT behind pfSense. It is translating all the IP addresses behind it to the router's IP address on its WAN side where pfSense is connected. This is why you really don't want (or need) double-NAT.



  • I'm having the same issue. The source address of the request is a device on my LAN. The destination is google dns. This is from a Samsung device that has google DNS hard coded in it. I have no double NAT on my network. I tried to pull the URL it uses for it's list, and it redirects to some blog page. I'm thinking I'm going to turn the ISC 30 off for now until I'm able to poll the URL and get a proper list back.

    Jan 10 20:32:55 [104] 	VLAN50 	pfB_PRI1_v4 1770010781) 	UDP  10.37.50.44:37132 Unknown 8.8.8.8:53 dns.google 	US	ISC_1000_30_v4 8.8.8.8
    


  • @realityman_ You should really start your own thread; however, open all your devices and see which one has a DNS other than pfSense 192.168.1.1...simple!



  • @py I don't have time to re-configure my network right now to switch the router to AP mode, (too many VLANs), but I was able to isolate the problem to the router itself, (disconnected everything and turned off the radios and got same behavior). I also reset the router to default settings, cleared the NVRAM and powered it off for 30 minutes while I rerouted cables in preparation for re-configuring it to AP mode, (again same behavior when it was powered back on).

    I would like to know why this particular feed, (ISC_1000_30_v4), is listing this behavior as malicious. Hopefully that may give me more information as to what it is I'm up against, and perhaps a way to fix it. I haven't found a place on the ISC website that specifies such things.

    Again, if it's of any use, this started in the wee hours of Friday morning.

    Any help appreciated.



  • If you want to let the traffic go thru, you can suppress it.

    If you have to restrict DNS traffic out, there is a way to redirect all DNS traffic to pfsense using FW Rules.
    https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html



  • @RonpfS said in Thousands of outgoing DNS(?) blocked per hour:

    If you want to let the traffic go thru, you can suppress it.

    If you have to restrict DNS traffic out, there is a way to redirect all DNS traffic to pfsense using FW Rules.
    https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

    Thanks, but I'm pretty sure this is not legitimate DNS traffic or the ISC_1000_30_v4 feed of pfBlockerNG would not be blocking it.

    Would it?

    The last thing I want is DNS queries going to google so I have incorporated the config at that link and I'll see what happens.



  • @py said in Thousands of outgoing DNS(?) blocked per hour:

    the ISC_1000_30_v4 feed of pfBlockerNG would not be blocking it.

    Well my ISC_1000_30_v4 table only has on ip : 45.76.66.122

    From my log file :

    [ PRI1_ISC1000_30_v4 ] [ 01/11/20 20:15:07 ]
    				( md5 feed )		 cURL Error: 28
    Operation timed out after 15007 milliseconds with 0 out of 0 bytes received Retry in 5 seconds...
    . cURL Error: 28
    Connection timed out after 15005 milliseconds Retry in 5 seconds...
    . cURL Error: 28
    Connection timed out after 15023 milliseconds Retry in 5 seconds...
    .. unknown http status code | 0
    	Failed to download Feed for md5 comparison!	Update skipped
    
    ...
    
    
    [ PRI1_ISC1000_30_v4 ]		 Downloading update .. 200 OK. completed ..
    [ pfB_PRI1_v4 PRI1_ISC1000_30_v4 ] No IPs found! Ensure only IP based Feeds are used! ]
    

    Trying to open the URL in a browser fails. Maybe the web site changed the location of the date, or maybe the data is no longer provided.
    Just disable the URL for now.



  • @RonpfS Realized pfBlocker IS NOT snort or suricata, which is what made me think it was not DNS lookups. Implemented the suggested DNS redirect from those links and the constant DNS hits to pfsense stopped, thanks.

    I don't know why 8.8.8.8 would be listed in a pfBlockerNG feed, but I'm grateful it was because it made me aware of some mis-configurations in my network.


Log in to reply