DNS Security - Denying Local Only



  • Good Day Everyone,

    I recently switched my pfsense from using the DNS Forwarder to DNS Resolver. While I used the forwarder it was configured to forward to my primary DC - which used root entries. If I did not want the forward to occur for say, my DMZ, or Guest networks, I simply de-select those interfaces on the forwarder and can continue to use the firewall itself as a DNS forwarder to upstream servers.

    Now I am using DNS Resolver which is awesome, but I'm having difficulty blocking my DNS from resolving local network IP's or FQDN's of my local network. While the firewall rules block the communications from establishing, it is still resolving and giving away pieces of information about a private network.

    I can see the DNS Resolver has ACL's but there doesn't appear to be an option to block only LAN traffic, it's either block/reject all queries or accept them. I want to continue using the firewall as a DNS server where it forwards queries to root servers on the Internet but I do not want the DMZ or Guest VLAN's to be resolving queries from local networks or FQDN's. If I de-select the DMZ/Guest interfaces from the Resolver configuration, all DNS stops working.

    Any advice or solutions are welcome and if more information is needed please let me know. Thanks.


Log in to reply