DNS issue

scorpoin

Hello to Community,

I'm having a strange issue. When I'm adding static IP and add Primate DNS as my Pfsense IP and Secondary DNS 8.8.8.8 . My chrome and microsoft edge open those blocked website for example facebook.com and youtube.com . When I remove google dns from secondary . Then those sites get blocked. Any idea to block this when if client try to add static DNS other then my Firewall it should be blocked.

Regards

Gertjan

@scorpoin said in DNS issue:

My chrome and microsoft edge open those blocked website for example

Use the default DNS settings.

You control your local DNS (unbound) :

add Primate DNS as my Pfsense IP

but you also added :

Secondary DNS 8.8.8.8 .

so these two are communicated to your devices when they ask a DHCP lease.. They can use whatever DNS they want. And if one (pfSense) doesn't give an answer, they thy the other one. or a coded in spare DNS like ... 8.8.8.8.

What you should do : go over to where 8.8.8.8 is and install over there also pfBlockerNG with the same settings. Good luck.

Or, far easier : never ever change the default DNS settings.

Only forward to guys like 8.8.8.8 if they pay you for your data. If not : you don't need them (they need you !)
Specifying DNS servers is something from the past - these days you use the best servers already : the root server. It ain't gona be better.

scorpoin

@gertjan Thank you for your prompt response

Below are the screen shot of General Setup-->DNS Server .

Screenshot_2021-03-12 pfSense local landomain - System General Setup.png

DHCP Setting
Screenshot_2021-03-12 pfSense local landomain - Services DHCP Server LAN.png

All I want is to restrict all of my client to user DNS other then my pfsense 172.16.159.254 . I can remove the dns from dchp setting but what if a client use static ip and static dns 8.8.8.8 and 8.8.4.4 then how to block such clients.

Regards

scorpoin

on other end firefox doing greate no mater what if I use static DNS it does block it. I dont get it why this abnormal behavior with chrome and microsoft edge ?

Gertjan

@scorpoin said in DNS issue:

All I want is

No, you do no want that.

Your second image instructed pfSense that it should give 8.8.4.4 and 8.8.8.8 to your devices.
And so they use 8.8.4.4 and 8.8.8.8.

Do what I said above : locate these servers 8.8.4.4 and 8.8.8.8, install pfBlokcerNG also on them, and you'll be fine.

Ok, I known, I'm silly.
Just believe me : DITCH 8.8.8.8 - 8.8.4.4 etc etc etc
Use a DNS server to forward to if you pay them, like OpenDNS, which is actually a service very comparable to what you decided to do locally : pfBlockerNG.

@scorpoin said in DNS issue:

but what if a client use static ip and static dns 8.8.8.8 and 8.8.4.4 then how to block such clients.

First of all, 8.8.8.8 etc is not the Internet.
You think it is.
Internet worked fine 30 already 30 years before they came.

I even block all these 'free' DNS server IP using pfBlockerNg :
Bad for them if they try to use them. As an admin I've said that the local gateway is the networks DNS = pfSense.
Not some other hard coded DNS server.

Even my TV set - some smart TV, in power down mode right now, is hitting 8.8.8.8 all the time.
Interessting.
Scrw it.
( and it just works fine without 8.8.8.8 - as it will use pfSense to do the resolving ...
It's using 8.8.8.8 for the telemetric / usage / and of course so it has a backup DNS if the local admin fck*d up the local DNS, as it happens a lot these days )

scorpoin

I've removed other DNS and only added PFsense IP there .

NAT_RULE_LAN_DNS

Screenshot_2021-03-12 pfSense local landomain - Firewall NAT Port Forward.png

Firewall_LAN_DNS_Rule

Screenshot_2021-03-12 pfSense local landomain - Firewall Rules LAN(1).png

When giving a static ip to my test machine with public dns . it is working even giving opendns ip it is working too. Do I have to add some kind of list in pfblocker.
Now still the same situation :/ .

Gertjan

@scorpoin

172.16.159.254 is your pfSense LAN IP ?

Some devices use 853.
You do not block 853 for !172.16.159.254 .....

Btw : listing a snipped of firewall rules is useless.
All the rules have to be taken in account.

What if you were hiding a initial :

?

Or not telling about some floating rules ?

pfBlockerNG : see the image I showed above. You can see the name of the feed that blocks public DNSs.

Also check out Firewall > pfBlockerNG > DNSBL > DNSBL SafeSearch

scorpoin

@gertjan there you go

Safe_Search
Screenshot_2021-03-12 pfSense local landomain - Firewall pfBlockerNG DNSBL DNSBL SafeSearch.png

Floating_Rules
Screenshot_2021-03-12 pfSense local landomain - Firewall Rules Floating.png

I've already disabled allow all only allowed IP address will pass through.

Regards

Gertjan

@scorpoin

I've have no firewall rules to block any DNS.
I'm forcing devices to use my (pfSEnse) DNS.

Just pfBlockerNG - using these feeds :

and

and, as you can see, I block mostly [whatever]:53

scorpoin

@gertjan

can you point me toward the exact direction of those rules then I will test and look much deeper into this , might this thread will help some one else who is in similar situation :) .

Regards

rareskyfive

This post is deleted!

Gertjan

@scorpoin said in DNS issue:

can you point me

You use pfblockerNG, right ?
On the "Feeds" page.
Firewall > pfBlockerNG > Feeds
Hit Ctrl-F
Type Great
Hit enter.
You find two lines : the two images I showed you above.
Click on the word Great.
Github opens.
Click on the link "heGreatWall_ipv4.txt"
Hit Ctrl-F
Type 8.8.8.8
Hit enter.
You found the place where 8.8.8.8 is blocked - if you use this feed.

scorpoin

@gertjan Thanks

its done

If any one having this issue you can refer to this thread and get your issue resolved.

So far its working as I expected I also added public dns server from Feed .

Regards

rareskyfive

This post is deleted!