DNS Resolver only using 853 and blocking outbound 53 on 2.4.5p1

  • Hi All,

    It seems some of the documentation is older on how to do this as well as conjecture on how traffic is passed. I do not want to visit each machine and point to or for DNS over 853. I do not care if devices on the LAN use 53 to get DNS from pfSense and I want the unbound DNS Resolver to work so I can use pfBlockerNG-devel.

    When I do a packet capture I do not see 853/UDP and lots of 53/UDP traffic out.

    I understand that I really only need to block the LAN clients from using 53/UDP, does a floating rule make this more difficult to troubleshoot?

    There are times we want IT to do a dig or nslookup over 53, is that something we just tell them to ssh into a pfSense box and don't do that from your workstation?

    Is there a hangout or clear guide(wiki) that is up to date on this procedure to setup and test?


  • SmokinMoJoe- At this point I don't know If your devices are DHCP (sounds like they aren't "I do not want to visit each machine ..."). Windows, the most common OS, doesn't support DOT natively so will speak on port 53 to whatever you have pointed it to for DNS. I understand that Android (not sure about IOS) can natively do DNS on 853. Point all the internal devices to your LAN side PFSense IP for DNS. Then setup DNS Resolver to forward and enable TLS right there. What I also do, is setup the ports I want to allow out from my internal network in several ALIAS's and I don't include port 53. If that's too much work (and it can be) you can have a block rule on LAN for port 53 to WAN, then an allow for all below that if you don't normally lock down the allowed outgoing ports. Aiming all devices at PFSENSE for DNS and blocking 53 from LAN to WAN should work. But I haven't tested that, I always went with allowing specific ports and everything else just doesn't go anywhere.

    BTW I used to manually set all devices IPs, but I have since went to DHCP and push out all my IP settings that way. Much easier.

  • @riften

    I am using DHCP.

    So I can do unbound on the pfSense LAN side on 53 and use bpBlockerNG-devel or I can skip pfBlockerNG-devel and just pass all my DNS traffic to my forwarder and assume some clinets use 53 and others will try to use DOH or DOT?

    I was wondering if unbound could be used to answer both 53 and 853 on the LAN but ONLY speak DOT/DOH to the WAN, like a proxy for DNS that protects privacy of the LAN clinets.


  • @SmokinMoJoe
    I don't bother with having PFSense DNS respond to clients attempting to use 853, in my case, I think just phones. They can get their DNS from PFSense same as the PCs. I don't have port 853 open from my LAN or VLANs to the internet anyway.
    PFBLOCKERNG is something I would suggest not muddying up the water with till DNS is squared away. Most computers (all Windows for example) use 53 so they will connect to the LAN interface of PFSense on that port if it is configured as their DNS server. No issues there, it's on a private network. PFSense will do the forwarding on 853 if configured to forward in SERVICES/DNS RESOLVER/GENERAL SETTINGS tab. Just make sure that the DNS servers configured in SYSTEM/GENERAL support DOT. PFSense does use port 53 itself, I am seeing it use the first DNS server listed in SYSTEM/GENERAL, for things like DNS lookup in DIAGNOSTICS. If port 53 is allowed OUT from the LAN and if any clients are using it you will also see those connections.

    NSLOOKUP works fine with it.
    There is the PFSense online book: https://docs.netgate.com/pfsense/en/latest/book/index.html

Log in to reply