Open DNS on the WAN interface

gusto

Today I was browsing the firewall rules and found that port 53 is open in my firewall.

I don't know if this setting is correct, but I set up the firewall a long time ago according to some instructions.
If I disable the rule, the internet still works fine and seems even faster.
I performed a port test and found that port 53 is open to the Internet. If I disable the rule, the port to the Internet is closed.
If I check whether a recursive resolver is detected on my public IP address, the result is fine

Recursive resolver is not detected on xx.xx.xx.xx

I'm not a firewall expert and I'm afraid to keep the rule or disable it.

Gertjan

@gusto

Ask the person who created this WAN rule :

why he thought that that was needed.

@gusto said in Open DNS on the WAN interface:

according to some instructions

Yeah ... I know.

I will give you one instruction, and without knowing whats so ever of a firewalls, you'll know its good ;
When you installed pfSense, there was no firewall on the WAN interface**, and still, everything worked just fine. Make use of that knowledge ^^

You can even remove the third, 'ping' rule, as it is no needed for a working internet connection.

** the first two block rules will block, but normally, from the Internet, there is no RFC1918 traffic, neither 'bogon' traffic, as the upstream ISP router couldn't route this traffic to you anyway.

The hidden last rule is a block all rule, as this is the default behavior of a interface : nothing comes "IN" (that wasn't initiated form the inside, for example your LAN, or pfSense itself).

gusto

Does that mean that this rule is rather dangerous?
Could someone from outside abuse my dns resolver?

Bob.Dig

@gusto This rule is pretty bad. Usually Unbound uses ACL so you are still protected, unless somebody disabled those too.

gusto

It is possible that I was testing something and forgot to delete this rule.
I use local resolver unbund, but the access list is not set.

Gertjan

@gusto said in Open DNS on the WAN interface:

Could someone from outside abuse my dns resolver?

You've said yourself :

@gusto said in Open DNS on the WAN interface:

I performed a port test and found that port 53 is open to the Internet

This :

means traffic from 'WAN' (the entire internet) was reaching your WAN IP, port 53 TCP and UDP, and passed. This mans the traffic reached the process that was (could be) boud to the port 53 for UDP and TCP : that's (normally) unbound or some other DNS handling server process.
Note : this would be fine if the interface was a LAN type interface.

One of the last barriers still in place (are they ?) are the aforementioned unbound ACL rules.
These are the last barrier that will prohibit unbound from taken in account a DNS requests from the WAN port.

Like a open rely mail server, you shouldn't 'open relay' your DNS facilities neither. It not bad per se, but what happens if I, and many other, start to request DNS requests to your WAN IP ? I'll be able to DOS your internet connection very rapidly.

So, again, normally, "if you don't know what a firewall is" : don't put any pass rules on the WAN interface, and you'll be fine.