Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver only using 853 and blocking outbound 53 on 2.4.5p1

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SmokinMoJoe
      last edited by

      Hi All,

      It seems some of the documentation is older on how to do this as well as conjecture on how traffic is passed. I do not want to visit each machine and point to 1.1.1.1 or 9.9.9.9 for DNS over 853. I do not care if devices on the LAN use 53 to get DNS from pfSense and I want the unbound DNS Resolver to work so I can use pfBlockerNG-devel.

      When I do a packet capture I do not see 853/UDP and lots of 53/UDP traffic out.

      I understand that I really only need to block the LAN clients from using 53/UDP, does a floating rule make this more difficult to troubleshoot?

      There are times we want IT to do a dig or nslookup over 53, is that something we just tell them to ssh into a pfSense box and don't do that from your workstation?

      Is there a hangout or clear guide(wiki) that is up to date on this procedure to setup and test?

      Thanks,
      Joe

      1 Reply Last reply Reply Quote 0
      • R
        riften
        last edited by

        SmokinMoJoe- At this point I don't know If your devices are DHCP (sounds like they aren't "I do not want to visit each machine ..."). Windows, the most common OS, doesn't support DOT natively so will speak on port 53 to whatever you have pointed it to for DNS. I understand that Android (not sure about IOS) can natively do DNS on 853. Point all the internal devices to your LAN side PFSense IP for DNS. Then setup DNS Resolver to forward and enable TLS right there. What I also do, is setup the ports I want to allow out from my internal network in several ALIAS's and I don't include port 53. If that's too much work (and it can be) you can have a block rule on LAN for port 53 to WAN, then an allow for all below that if you don't normally lock down the allowed outgoing ports. Aiming all devices at PFSENSE for DNS and blocking 53 from LAN to WAN should work. But I haven't tested that, I always went with allowing specific ports and everything else just doesn't go anywhere.

        BTW I used to manually set all devices IPs, but I have since went to DHCP and push out all my IP settings that way. Much easier.

        S 1 Reply Last reply Reply Quote 0
        • S
          SmokinMoJoe @riften
          last edited by

          @riften

          I am using DHCP.

          So I can do unbound on the pfSense LAN side on 53 and use bpBlockerNG-devel or I can skip pfBlockerNG-devel and just pass all my DNS traffic to my forwarder and assume some clinets use 53 and others will try to use DOH or DOT?

          I was wondering if unbound could be used to answer both 53 and 853 on the LAN but ONLY speak DOT/DOH to the WAN, like a proxy for DNS that protects privacy of the LAN clinets.

          Thanks,
          Joe

          R 1 Reply Last reply Reply Quote 0
          • R
            riften @SmokinMoJoe
            last edited by

            @SmokinMoJoe
            I don't bother with having PFSense DNS respond to clients attempting to use 853, in my case, I think just phones. They can get their DNS from PFSense same as the PCs. I don't have port 853 open from my LAN or VLANs to the internet anyway.
            PFBLOCKERNG is something I would suggest not muddying up the water with till DNS is squared away. Most computers (all Windows for example) use 53 so they will connect to the LAN interface of PFSense on that port if it is configured as their DNS server. No issues there, it's on a private network. PFSense will do the forwarding on 853 if configured to forward in SERVICES/DNS RESOLVER/GENERAL SETTINGS tab. Just make sure that the DNS servers configured in SYSTEM/GENERAL support DOT. PFSense does use port 53 itself, I am seeing it use the first DNS server listed in SYSTEM/GENERAL, for things like DNS lookup in DIAGNOSTICS. If port 53 is allowed OUT from the LAN and if any clients are using it you will also see those connections.

            NSLOOKUP works fine with it.
            There is the PFSense online book: https://docs.netgate.com/pfsense/en/latest/book/index.html

            S 1 Reply Last reply Reply Quote 0
            • S
              SmokinMoJoe @riften
              last edited by

              @riften

              So I now have the LAN using 53 and the WAN using 853 only. I do need to block DNS out 53/853 from my LAN as my LAN should ONLY be using my pfSense unbound resolver, struggling with this now. This means my ISP can no longer harvest my DNS traffic to sell to the lowest bidder! LOL I am using pfSense 2.4.5-p1

              What I had to do:

              • System/General Setup/DNS Servers input 1.1.1.1,1.0.0.1,9.9.9.9 and 149.112.112.9

              • Make sure those DNS ip address have the correct FQDN entered as well

              • (uncheck) Allow DNS server list to be overridden by DHCP/PPP on WAN

              • (unceck) Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall

              • Services/DNS Resolver and use "Custom options" after the pfBlocker-NG line

              • Restart the DNS Resolver

              • verify the UDP 53 states are expired

              This was the "Custom Options" that I had to add:
              server:
              forward-zone:
              name: "."
              forward-ssl-upstream: yes
              forward-addr: 1.1.1.1@853
              forward-addr: 1.0.0.1@853
              forward-addr: 9.9.9.9@853
              forward-addr: 149.112.112.9@853

              This is the Diagnostics/pfTop/Filter Expression : "dst port 53" setting to verify that my pfSense firewall is doing all the DNS for the LAN

              This is the Diagnostics/pfTop/Filter Expression : "dst port 853" setting to verify that my pfSense firewall is doing all the DoT on the WAN

              S 1 Reply Last reply Reply Quote 0
              • S
                SmokinMoJoe @SmokinMoJoe
                last edited by SmokinMoJoe

                @smokinmojoe

                This link from Netgate allowed me to make the rule to block 53/853 just like I was struggling with. Perfect and glad the docs are so good : https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html

                Navigate to Firewall > Rules, LAN tab

                Create the block rule as the first rule in the list:

                Click fa-level-up Add to create a new rule at the top of the list

                Fill in the following fields on the rule:

                • Action: Reject

                • Interface: LAN

                • Protocol: TCP/UDP

                • Destination: Any

                • Destination Port Range: DNS (53)

                • Description: Block DNS to Everything Else

                Create the pass rule to allow DNS to the firewall, above the block rule:

                Click fa-level-up Add to create a new rule at the top of the list

                Fill in the following fields on the rule:

                • Action: Pass

                • Interface: LAN

                • Protocol: TCP/UDP

                • Destination: LAN Address

                • Destination Port Range: DNS (53)

                • Description: Pass DNS to the Firewall

                Click fa-check Apply Changes to reload the ruleset

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.