Block DNS not working.... How to?



  • Followed the guide here:

    https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

    This is in the guide...

    alt text

    This is how it looks

    98ed3da0-aab1-4c0e-ab31-412663b19eba-billede.png

    Still no dice.

    Corresponding FW rules:

    432290c2-f2af-413b-819d-6fa177d48084-billede.png

    Port forwards NAT:

    d7c5e772-9a3d-4f00-b558-ecf4c92b3fa6-billede.png

    General systems setup:

    1e55563d-8517-4f7a-86c6-3d21b061b769-billede.png

    DNS servers used when testing for DNS leaks:

    2d676f5b-6b51-4ebf-823d-33ec9025d886-billede.png

    And when I test using Google DNS, everything is working fine and DNS are bypassing the FW.

    What am I doing wrong?



  • @Cool_Corona
    I think your first rule needs to be a NAT rule, too.
    f34d1770-f8f0-4d13-9c0c-a3e9a885e9bd-image.png


  • LAYER 8 Global Moderator

    Couple of things.. In link you provided about redirecting dns.. It clearly states

    "If DNS requests to other DNS servers are blocked, such as by following Blocking External Client DNS Queries, ensure the rule to pass DNS to 127.0.0.1 is above any rule that blocks DNS."

    Where is said rule in your rules? You do not allow this in you rules, so how would it work?

    Also Not sure what forwarding to the roots is going to do.. The root servers do not allow for recursive queries.. You can not ask the root servers for google.com for example..

    If you ask a root server for www.google.com all its going to hand back to you is the NS for .com

    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
    
    ;; AUTHORITY SECTION:
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      m.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    

    So such a setup as you have would never ever work to resolve anything..



  • Thank you :)


Log in to reply