DNS Resolver only using 853 and blocking outbound 53 on 2.4.5p1
-
Hi All,
It seems some of the documentation is older on how to do this as well as conjecture on how traffic is passed. I do not want to visit each machine and point to 1.1.1.1 or 9.9.9.9 for DNS over 853. I do not care if devices on the LAN use 53 to get DNS from pfSense and I want the unbound DNS Resolver to work so I can use pfBlockerNG-devel.
When I do a packet capture I do not see 853/UDP and lots of 53/UDP traffic out.
I understand that I really only need to block the LAN clients from using 53/UDP, does a floating rule make this more difficult to troubleshoot?
There are times we want IT to do a dig or nslookup over 53, is that something we just tell them to ssh into a pfSense box and don't do that from your workstation?
Is there a hangout or clear guide(wiki) that is up to date on this procedure to setup and test?
Thanks,
Joe -
SmokinMoJoe- At this point I don't know If your devices are DHCP (sounds like they aren't "I do not want to visit each machine ..."). Windows, the most common OS, doesn't support DOT natively so will speak on port 53 to whatever you have pointed it to for DNS. I understand that Android (not sure about IOS) can natively do DNS on 853. Point all the internal devices to your LAN side PFSense IP for DNS. Then setup DNS Resolver to forward and enable TLS right there. What I also do, is setup the ports I want to allow out from my internal network in several ALIAS's and I don't include port 53. If that's too much work (and it can be) you can have a block rule on LAN for port 53 to WAN, then an allow for all below that if you don't normally lock down the allowed outgoing ports. Aiming all devices at PFSENSE for DNS and blocking 53 from LAN to WAN should work. But I haven't tested that, I always went with allowing specific ports and everything else just doesn't go anywhere.
BTW I used to manually set all devices IPs, but I have since went to DHCP and push out all my IP settings that way. Much easier.
-
I am using DHCP.
So I can do unbound on the pfSense LAN side on 53 and use bpBlockerNG-devel or I can skip pfBlockerNG-devel and just pass all my DNS traffic to my forwarder and assume some clinets use 53 and others will try to use DOH or DOT?
I was wondering if unbound could be used to answer both 53 and 853 on the LAN but ONLY speak DOT/DOH to the WAN, like a proxy for DNS that protects privacy of the LAN clinets.
Thanks,
Joe -
@SmokinMoJoe
I don't bother with having PFSense DNS respond to clients attempting to use 853, in my case, I think just phones. They can get their DNS from PFSense same as the PCs. I don't have port 853 open from my LAN or VLANs to the internet anyway.
PFBLOCKERNG is something I would suggest not muddying up the water with till DNS is squared away. Most computers (all Windows for example) use 53 so they will connect to the LAN interface of PFSense on that port if it is configured as their DNS server. No issues there, it's on a private network. PFSense will do the forwarding on 853 if configured to forward in SERVICES/DNS RESOLVER/GENERAL SETTINGS tab. Just make sure that the DNS servers configured in SYSTEM/GENERAL support DOT. PFSense does use port 53 itself, I am seeing it use the first DNS server listed in SYSTEM/GENERAL, for things like DNS lookup in DIAGNOSTICS. If port 53 is allowed OUT from the LAN and if any clients are using it you will also see those connections.NSLOOKUP works fine with it.
There is the PFSense online book: https://docs.netgate.com/pfsense/en/latest/book/index.html -
So I now have the LAN using 53 and the WAN using 853 only. I do need to block DNS out 53/853 from my LAN as my LAN should ONLY be using my pfSense unbound resolver, struggling with this now. This means my ISP can no longer harvest my DNS traffic to sell to the lowest bidder! LOL I am using pfSense 2.4.5-p1
What I had to do:
-
System/General Setup/DNS Servers input 1.1.1.1,1.0.0.1,9.9.9.9 and 149.112.112.9
-
Make sure those DNS ip address have the correct FQDN entered as well
-
(uncheck) Allow DNS server list to be overridden by DHCP/PPP on WAN
-
(unceck) Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall
-
Services/DNS Resolver and use "Custom options" after the pfBlocker-NG line
-
Restart the DNS Resolver
-
verify the UDP 53 states are expired
This was the "Custom Options" that I had to add:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.9@853This is the Diagnostics/pfTop/Filter Expression : "dst port 53" setting to verify that my pfSense firewall is doing all the DNS for the LAN
This is the Diagnostics/pfTop/Filter Expression : "dst port 853" setting to verify that my pfSense firewall is doing all the DoT on the WAN
-
-
This link from Netgate allowed me to make the rule to block 53/853 just like I was struggling with. Perfect and glad the docs are so good : https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html
Navigate to Firewall > Rules, LAN tab
Create the block rule as the first rule in the list:
Click fa-level-up Add to create a new rule at the top of the list
Fill in the following fields on the rule:
-
Action: Reject
-
Interface: LAN
-
Protocol: TCP/UDP
-
Destination: Any
-
Destination Port Range: DNS (53)
-
Description: Block DNS to Everything Else
Create the pass rule to allow DNS to the firewall, above the block rule:
Click fa-level-up Add to create a new rule at the top of the list
Fill in the following fields on the rule:
-
Action: Pass
-
Interface: LAN
-
Protocol: TCP/UDP
-
Destination: LAN Address
-
Destination Port Range: DNS (53)
-
Description: Pass DNS to the Firewall
Click fa-check Apply Changes to reload the ruleset
-