Allow external / public DNS queries to internal server

Referee2000 · Nov 30, 2009, 2:44 AM

Hello, I am new to pfSense and have been really loving it! However, I cannot seem to find out exactly how to fix an issue I am having.

The problem is public DNS requests do not seem to go through the pfSense firewall to a DNS server I have running on one of my internal servers. I have multiple web sites at multiple locations and control the Public DNS records myself. I am trying pfSense on one of my locations to see how it acts. So far so good - but any DNS requests from the internet to resolve my web server names get this on the logs:

The rule that triggered this action is:
@48 block drop in log quick all label "Default deny rule"

I have added a rule on the WAN to forward DNS/53 to my internal server. I assume by what I have read so far is that there is some default rule (that I cannot seem to find) that is "protecting" the firewall. Can someone please point me in the right direction (or even better yet, tell me what I need to know? :-) )

Referee2000 · Nov 30, 2009, 5:13 AM

I just found the 'services' status page, and I can see that there is a 'dnsmasq' service - if I turned this off - would that default rule be altered? I do not need any DNS services running on this firewall at all - so what would this do if I turned it off?

wallabybob · Nov 30, 2009, 6:30 AM

You can't change the Default deny rule: everything that doesn't match a previous rule is blocked.

What protocol(s) did you specify on the "DNS/53" rule?

If you don't want pfSense to provide DNS services you should turn off everything under Services -> DNS

Referee2000 · Nov 30, 2009, 11:46 PM

I tried UDP first, then TCP/UDP, but that didn't work either. My original firewall was a simple FVS318 that was configured for UDP only - so I tried that first. I think DNS is always UDP, but I can be wrong, haven't looked it up in a long time :-)

Referee2000 · Dec 1, 2009, 12:33 AM

I tried stopping the dnsmasq service, the system still refuses to route incoming DNS requests. I then rebooted the firewall and the dnsmasq service restarts.

My question would be then -
1. how could I 'uninstall' or disable this service, or
2. edit the default rules - is there a way to get to the rules file for this thing?

Sorry for being a pain, but this is a new system I don't know and am unfamiliar with. I will also continue to search for an answer.

(assuming there is one! - has anyone successfully done this?

To be more clear, as I see how you are detailing the issues here, I have:

[Web Server: 10.1.1.107]
[DNS Server: 10.1.1.105] - [LAN: 10.1.1.1] pfSense [WAN: 99.28.22.21] - internet - Client

The domain (WWW.DOMAIN.COM) I have is registered with a name server of NS1.DOMAIN.COM - which is listed as 99.28.22.21. My DNS server hosts multiple domains, some at my location, some at another. The 'Client' cannot resolve WWW.DOMAIN.COM because it times out querying NS1.DOMAIN.COM - because the pfSense doesn't send the request on to the internal server.

I have a rule entered that has these values:
Action: Pass
Interface: WAN
Protocol: UDP (also tried TCP/UDP)
Source: any
Destination: Single Host / Alias, Alias = "DNSServer" which is set to "10.1.1.105"
Destination Port: From DNS to DNS (also tried 53)
Schedule: none
Gateway: default

If anyone has this working - please let me know how you did it, or point me to the information!

Thank you!

BTW - I am not really heart felt to use my DNS server if pfSense can do this for me as well - but I cannot seem to find out how to respond to public requests. Internal requests I can get working just fine!

BTW - Would it help if I offered money for a solution?! :o ;D

wallabybob · Dec 1, 2009, 12:56 AM

Your client on the internet probably can't send a DNS request directly to your DNS server because the IP address of the DNS server (10.1.1.105) is a private address. So the client will have to send the DNS address to a public IP address (99.28.22.21?) so the DNS request coming in to the pfSense box won't match your rule because the rule has a private IP address.

You probably need to setup a port forwarding rule (Firewall -> NAT -> Port Forwarding ) for the DNS requests from the WAN.

Referee2000 · Dec 1, 2009, 2:21 AM

SWEET!!!! Thank you - Thank you - Thank you - Thank you - Thank you!!!!

Now that I understand what that is doing - first firewall rules to allow, then the NAT to forward, it all makes sense now! Thank you!

I guess I got hung up on the Rule, when I entered teh private IP I "assumed" it was like the FVS319 - it allowed and forwarded in one step - this way is nice (an extra step, but I see why!)

Again - thanks! Where do you want the gift card sent to? :-)

wallabybob · Dec 1, 2009, 3:20 AM

@Referee2000:

Again - thanks! Where do you want the gift card sent to? :-)

I give my time to the pfSense forums as way of expressing my gratitude for this great project. If you would like to make a gift of a more material kind how about a donation to the pfSense project (http://www.pfsense.org/index.php?option=com_content&task=view&id=47&Itemid=77 ) or a micro loan to a project in Thailand or a Pacific Islands country (see http://www.kiva.org)?