Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (Stupid?) Log question

    Scheduled Pinned Locked Moved pfBlockerNG
    8 Posts 2 Posters 910 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mdouglass108
      last edited by mdouglass108

      I just recently started using pfBlocker and I'm still trying to figure our this cool piece of software so this might be a silly question. I have DoH blocked under an alias deny and associated firewall rules. I was looking through the logs and I found an entry on the wan interface where the source IP is 8.8.8.8:53 and the destination is <my WAN IP>:<random high UDP port>. At first I thought maybe it was a configuration error triggering some type of asymmetric routing condition but I don't think that is the case. I have a pretty plain vanilla setup with a single wan gateway. (although I do both inbound and outbound filtering of allowed ports and services) Is Google DNS really pinging my WAN a dozen times every three hours (like clockwork)?

      Edit: I use Unbound as a resolver for all network clients and I am not configured in any way to use Google DNS

      NollipfSenseN 1 Reply Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @mdouglass108
        last edited by NollipfSense

        @mdouglass108 First, are you using pfBlockerNG? If not, I recommend that version. Now, the answer, most likely it is one of your client that is configured to use Google, especially, if your client is Android related and the destination IP should identify the client.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        M 1 Reply Last reply Reply Quote 0
        • M
          mdouglass108 @NollipfSense
          last edited by

          @nollipfsense

          1. Yes, using pfBlockerNG-devel
          2. I have a few IoT type "smart devices" on their own separate vlan but DNS requests are NAT redirected to pfSense. ONLY requests going to pfSense are allowed. I concede that 1 or more of them are very likely to be hard coded to use 8.8.8.8
          3. No Android devices
          4. Blocker shows the source as 8.8.8.8 on port 53
          5. Blocker shows the destination as my WAN address on a random (and changing) high UDP port.
          6. So are you thinking somehow a host is leaking out to Google DNS and the reply is getting picked up and blocked by pfBlocker?
          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @mdouglass108
            last edited by NollipfSense

            @mdouglass108 said in (Stupid?) Log question:

            So are you thinking somehow a host is leaking out to Google DNS and the reply is getting picked up and blocked by pfBlocker?

            No, it does that only to clients because the client made a DNS request and that client is not getting DNS request from pfSense else you would have the IP address of the device instead of your WAN IP as the destination. Do you force all clients to use pfSense DNS in your LAN firewall like this:

            Screen Shot 2021-05-12 at 7.17.59 PM.png

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            M 2 Replies Last reply Reply Quote 0
            • M
              mdouglass108 @NollipfSense
              last edited by mdouglass108

              @nollipfsense

              Not quite.

              The DNS rule is as follows for each interface:

              Action = Pass
              Protocol = IPv4 TCP/UDP
              Source = LAN Net
              Source Port = any
              Destination = LAN Interface address (i.e 192.168.10.1)
              Destination Port = 53
              Gateway = any

              All permitted traffic is specifically passed on a rule by rule basis. Each interface has approximately 6-7 rules total. At the end of the rule set there is an explicit block all rule.

              The NAT rule redirecting DNS requests is as follows:
              Protocol = TCP/UDP
              Source = LAN Net
              Source Port = Any
              Destination = !LAN Address (NOT Lan)
              Destination Port = 53
              NAT IP = LAN Interface address (i.e. 192.168.10.1)
              NAT Ports = 53

              Unbound is configured to listen for requests on LAN (and all other interfaces)

              1 Reply Last reply Reply Quote 0
              • M
                mdouglass108 @NollipfSense
                last edited by

                @nollipfsense

                Also, when I filter the pfBlocker logs for a destination of 8.8.8.8 there is nothing........other than the entry for the test I just did to confirm that outbound blocking was working. So it certainly appears that it's not originating from inside my network. Otherwise pfBlocker would be rejecting and logging that request.

                This is more of a curiosity than anything else. Why are packets from 8.8.8.8 hitting my WAN every 3 hours or so? I assume that Google uses a range of IP addresses that actually reply to DNS queries directed at 8.8.8.8. If I WERE using Google DNS at 8.8.8.8 and logging that traffic would the reply show it from 8.8.8.8 or some other address in their assigned range. This goes beyond my shallow pool (or pond) of understanding of how large CDNs function behind the scenes.

                NollipfSenseN 1 Reply Last reply Reply Quote 0
                • NollipfSenseN
                  NollipfSense @mdouglass108
                  last edited by

                  @mdouglass108 It should be in the DNSBL log. May I suggest turning off all devices, then turn them on one by one to find the culprit

                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    mdouglass108 @NollipfSense
                    last edited by

                    @nollipfsense

                    I'm not running DNSBL yet (still trying to figure out pfBlocker). I'm using IP list to block DOH, specifically Alias Deny with the list TheGreatWall_DoH_IP.

                    The list of of likely clients to unplug is a lot shorter than the list of ALL clients to unplug so I'll start with those first. The fact that there is no outbound log entries in pfBlocker seems to suggest it could be something like this post from another forum:

                    https://community.spiceworks.com/topic/527938-strange-inbound-udp-packets

                    I really appreciate you taking time out of your day to respond but since this is more of a curiosity than an operational issue I'll mark this thread as closed. Near as I can tell everything is working correctly on my network. Blocked things are getting blocked and allowed traffic is getting passed. If I find anything interesting or noteworthy I'll post it here but for now I think I'm done.

                    Thank you.

                    Cheers!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.