Simple DNS question
-
So I have a question regarding DNS, little bit of a grey area for me.
I want to know how to ensure that only 1 DNS server is used on the network.
How can I make sure clients are using MY DNS server? So say I buy a device, and it has a hardcoded DNS server of say 8.8.8.8. How can I block this device from making queries to this DNS server instead of my local DNS server? Thus, bypassing my pfSBlocker rules etc?
I want to ENSURE all client are using 1 and only 1 DNS server, and any other DNS servers are rejected? Firewall rules?
Thanks!
-
@deanfourie out of the box pfsense would hand Its IP address out for clients to use for dns.
If you don't want clients using other dns, then block that with firewall rule.
Keep in mind many a browser likes to default to using doh, which is dns over https - which wold be port 443.. So blocking that is a bit more difficult.
-
@johnpoz Thanks, ok so just use a firewall rule to block!
I understand that blocking DOH is more difficult, out of curiosity, how is it done?
-
@deanfourie
hey there,
you cannot really block or reject those with a simple rule, since it ususally runs on Port 443 and you definitly do not want to block/reject that one...
So, what you could do: block all known DoH Servers. To archieve that, you could use pfblockerNG_dev with an IP-Blocklist for known DoH-Servers.
But, as stated in this forum before, that might escalate quickly, for a blocklist like that will probably never be complete and up-to-date...Or you could mitm break the ssl traffic open, look then for dns-queries and block those...BUT do you really want to do that (with regards to lots of cpu power AND data security)...?
:)For "normal DNS" as mentioned by @johnpoz add a "allow TCP/UDP on Port 53 to Firewall itself and reject all other TCP/UDP to other destinations on port 53 for each interface...plus maybe a reject rule for DoT on port 853 (although, as I learned here recently there are other possible ports for DoT)
-
@deanfourie said in Simple DNS question:
how is it done?
DNS over HTTPS use TLS.
Blocking is easy. Put this rue on your LAN interface at the top :
DNS over HTTPS means :
It's HTTPS traffic. This is TLS traffic coming from 'some port' going to port 443 - over TCP.
This is the port used by every web server on the Internet.You can't see or smell that the content of the data stream isn't usual web server traffic, neither DNS traffic. pfSense can't know.
The requesting browser isn't using 1.1.1.1 but a host name like one.one.one.one.
When the web bowser connects to one.one.one.one, it validates the TLS first : it ask for a certificate that should state it is for "one.one.one.one".
Now ask yourself this question : can you get a certificate for "one.one.one.one" ? Or Microsoft.com ? or yourbank.com ?
You can't.And remember : you can't look 'into' the TLS stream that flows through, as to 'open' it you need to have a server certificate that says "I'm one.one.one.one".
And it's using port 443, TCP, which is hard to block, as blocking it would remove 99,99 % of all web browsing access on your network.
To answer the question much faster : it's hard to do MITM attacks.
And you don't want MITM to happen. Because, if you can do it, everybody can do it. And no data transport is safe any more.But : if you are willing to inform to every device device (and every software program running on that device) on the pfSEnse LAN that it should use a proxy, for example running on pfSense, then yes, it can be done.
Now, every request is handed over to the pfsense proxy that creates the TLS connection for you. Answers coming back are handed back to your device.
The proxy running on pfSense is now the man in the middle. -
@gertjan said in Simple DNS question:
Put this rue on your LAN interface at the top :
hahaha - that kind of blocks the whole freaking internet as well, not just doh hehehhahah
-
@gertjan So what's the real downside to just using DoT.
Traffic is safe, encrypted.
Except for the fact that you cannot see what is being queried of course.
-
@johnpoz Yea I think that will just block HTTPS and DOH at the same time.
-
@deanfourie hey there,
the "downside" is exactly what you mentioned: cannot see what's being queried, so no dns-based filtering of let's say advertisement, porn, known malicious sites...no pihole, no pfblocker dns-filtering...
And that's a bummer for many users (including me).
:)