Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple DNS question

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 4 Posters 1.0k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      deanfourie
      last edited by deanfourie

      So I have a question regarding DNS, little bit of a grey area for me.

      I want to know how to ensure that only 1 DNS server is used on the network.

      How can I make sure clients are using MY DNS server? So say I buy a device, and it has a hardcoded DNS server of say 8.8.8.8. How can I block this device from making queries to this DNS server instead of my local DNS server? Thus, bypassing my pfSBlocker rules etc?

      I want to ENSURE all client are using 1 and only 1 DNS server, and any other DNS servers are rejected? Firewall rules?

      Thanks!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @deanfourie
        last edited by

        @deanfourie out of the box pfsense would hand Its IP address out for clients to use for dns.

        If you don't want clients using other dns, then block that with firewall rule.

        Keep in mind many a browser likes to default to using doh, which is dns over https - which wold be port 443.. So blocking that is a bit more difficult.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          deanfourie @johnpoz
          last edited by

          @johnpoz Thanks, ok so just use a firewall rule to block!

          I understand that blocking DOH is more difficult, out of curiosity, how is it done?

          the otherT GertjanG 2 Replies Last reply Reply Quote 0
          • the otherT Offline
            the other @deanfourie
            last edited by the other

            @deanfourie
            hey there,
            you cannot really block or reject those with a simple rule, since it ususally runs on Port 443 and you definitly do not want to block/reject that one...
            So, what you could do: block all known DoH Servers. To archieve that, you could use pfblockerNG_dev with an IP-Blocklist for known DoH-Servers.
            But, as stated in this forum before, that might escalate quickly, for a blocklist like that will probably never be complete and up-to-date...

            Or you could mitm break the ssl traffic open, look then for dns-queries and block those...BUT do you really want to do that (with regards to lots of cpu power AND data security)...?
            :)

            For "normal DNS" as mentioned by @johnpoz add a "allow TCP/UDP on Port 53 to Firewall itself and reject all other TCP/UDP to other destinations on port 53 for each interface...plus maybe a reject rule for DoT on port 853 (although, as I learned here recently there are other possible ports for DoT)

            the other

            pure amateur home user, no business or professional background
            please excuse poor english skills and typpoz :)

            1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @deanfourie
              last edited by

              @deanfourie said in Simple DNS question:

              how is it done?

              DNS over HTTPS use TLS.

              Blocking is easy. Put this rue on your LAN interface at the top :

              6532d9da-6e36-46e4-9fa6-b11ed3f27a6b-image.png

              DNS over HTTPS means :
              It's HTTPS traffic. This is TLS traffic coming from 'some port' going to port 443 - over TCP.
              This is the port used by every web server on the Internet.

              You can't see or smell that the content of the data stream isn't usual web server traffic, neither DNS traffic. pfSense can't know.

              The requesting browser isn't using 1.1.1.1 but a host name like one.one.one.one.

              When the web bowser connects to one.one.one.one, it validates the TLS first : it ask for a certificate that should state it is for "one.one.one.one".
              Now ask yourself this question : can you get a certificate for "one.one.one.one" ? Or Microsoft.com ? or yourbank.com ?
              You can't.

              And remember : you can't look 'into' the TLS stream that flows through, as to 'open' it you need to have a server certificate that says "I'm one.one.one.one".

              And it's using port 443, TCP, which is hard to block, as blocking it would remove 99,99 % of all web browsing access on your network.

              To answer the question much faster : it's hard to do MITM attacks.
              And you don't want MITM to happen. Because, if you can do it, everybody can do it. And no data transport is safe any more.

              But : if you are willing to inform to every device device (and every software program running on that device) on the pfSEnse LAN that it should use a proxy, for example running on pfSense, then yes, it can be done.
              Now, every request is handed over to the pfsense proxy that creates the TLS connection for you. Answers coming back are handed back to your device.
              The proxy running on pfSense is now the man in the middle.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              johnpozJ D 2 Replies Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @Gertjan
                last edited by

                @gertjan said in Simple DNS question:

                Put this rue on your LAN interface at the top :

                hahaha - that kind of blocks the whole freaking internet as well, not just doh hehehhahah

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07 | Lab VMs 2.8, 25.07

                D 1 Reply Last reply Reply Quote 0
                • D Offline
                  deanfourie @Gertjan
                  last edited by

                  @gertjan So what's the real downside to just using DoT.

                  Traffic is safe, encrypted.

                  Except for the fact that you cannot see what is being queried of course.

                  the otherT 1 Reply Last reply Reply Quote 0
                  • D Offline
                    deanfourie @johnpoz
                    last edited by

                    @johnpoz Yea I think that will just block HTTPS and DOH at the same time.

                    1 Reply Last reply Reply Quote 0
                    • the otherT Offline
                      the other @deanfourie
                      last edited by

                      @deanfourie hey there,
                      the "downside" is exactly what you mentioned: cannot see what's being queried, so no dns-based filtering of let's say advertisement, porn, known malicious sites...no pihole, no pfblocker dns-filtering...
                      And that's a bummer for many users (including me).
                      :)

                      the other

                      pure amateur home user, no business or professional background
                      please excuse poor english skills and typpoz :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.