Confused about DNS setup
-
I have been tasked with ensuring our firewall uses a specific DNS server and only that server. Under the General settings tab, I specified the desired IP and hostname for TLS resolver, and everything appeared to work OK.
To test, I removed the DNS IP address and TLS hostname, and restarted the firewall. Then used the firewall's Diagnostics->DNS Lookup to test. To my surprise, an IP address was returned. I was expecting it to be not found/not resolved.
Where is the firewall getting its DNS information from? I presume from the upstream WAN, which if that is the case that is not permitted. Is there a way to prevent that? Or is there some other misconfiguration? Any help is greatly appreciated. These are my settings:
/home/mike/Pictures/Screenshots/Screenshot From 2025-09-16 14-47-59.png
-
@g289519 said in Confused about DNS setup:
I have been tasked with ensuring our firewall uses a specific DNS server and only that server.
You should fully read, understand, and implement the following two 'recipes' from the documentation:
Redirecting Client DNS Requests (
Firewall / NATconfig)
Blocking External Client DNS Queries (Firewall / Rulesconfig)You should post any follow-up questions you might have about how to make these work with the specific configuration of the system you're working with.
-
@tinfoilmatt I looked at those settings, thank you. I think they will work for clients that try to bypass the router. We already were redirecting port 53. Some clients are using DNS over HTTPS, so that is another situation that will be handled separately. I am not in control of those systems.
I need to show our auditors that our router is using a specific DNS server. They want me to remove the DNS server and prove nothing can be resolved. It appears the router itself does not look at the recipes you mentioned. I can still lookup any name using the DNS Lookup page, which means I have no control over the DNS address at this point. I can put in a bogus address, or no address, and names are still being resolved.
-
On your DNS Resolution Behavior , try changing that setting to Use Remote DNS Servers, Ignore Local DNS.
-
Is your WAN interface receiving the ISP's DNS servers via DHCPv6 (
Status / Interfaces)? -
Without verifying for myself, the DNS Lookup page must be querying unbound listening on 127.0.0.1. So the recursive lookup must then be getting to the outside via one of the "let out anything from firewall host itself" default rules.
Run
pfctl -vvsr | grep 'itself'to see what I mean:@[id] pass out inet all flags S/SA keep state (if-bound) allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 0000000000 @[id] pass out inet6 all flags S/SA keep state (if-bound) allow-opts label "let out anything IPv6 from firewall host itself" ridentifier 0000000000If that is in fact the case, the next question becomes what DNS server is responding? (That's why I ask about the ISP's IPv6 DNS DHCPv6 handout.)
Unless the DNS Lookup PHP has something hardcoded...?
FWIW, pfBlockerNG's IP filter service blocks even
localhost's lookups:
Is this system running pfB?
-
@tinfoilmatt said in Confused about DNS setup:
Is your WAN interface receiving the ISP's DNS servers via DHCPv6 (
Status / Interfaces)?No I don't think so
-
-
@Uglybrian said in Confused about DNS setup:
On your DNS Resolution Behavior , try changing that setting to Use Remote DNS Servers, Ignore Local DNS.
I made that change, rebooted, DNS still working without any DNS server specified. Thanks for your reply.
I dunno. Maybe we need a firewall upstream of our firewall. But that sounds silly. I verified no other DNS server exists on the network by isolating the equipment to just 3 pieces (the modem, firewall and my fedora workstation).
-
@g289519 What you're doing at the request of the auditors here is a setup that nobody is going to have in the real world: pfSense configured as a recursive LAN resolver with its system DNS intentionally left empty.
Strong suggestion to pcap on the WAN interface to figure out who's answering
localhostlookups and from where. -
@tinfoilmatt I will take a look thank you. I ran a packet trace and came across this:
01:09:00.598828 IP 198.51.44.69.53 > 47.224.233.232.57987: UDP, length 92
I looked up 198.51.44.69 and it is
And that is precisely what is going to get my audit to fail unless I can come up with a good explanation. No outside DNS server allowed per policy.
-
@tinfoilmatt said in Confused about DNS setup:
@g289519 What you're doing at the request of the auditors here is a setup that nobody is going to have in the real world: pfSense configured as a recursive LAN resolver with its system DNS intentionally left empty.
I understand, we wont leave it that way permanently. I just need to show I have control over the DNS server by being able to remove it. Its just one of many steps. I didn't write the procedures. Eventually it will have some server address there. Appreciate the feedback thanks.
-
@g289519 No I'm with you, man. You've personally piqued my interest with this for my own setups. I'd fail pfSense if I was the auditors over this, too. I get that leaving system DNS blank is just the test. So you need to figure out how to block
localhost-generated lookups from leaving the WAN interface!Does that DNS answer offer any clues about where it's coming from? It's possible ISP is simply redirecting 53/853 traffic wherever (after sniffing the lookups of course, lol).
-
Pinging @stephenw10—is there any way to place a deny rule above the default 'let out from itself' rules?
-
@g289519 said in Confused about DNS setup:
I have been tasked with ensuring our firewall uses a specific DNS server and only that server. Under the General settings tab, I specified the desired IP and hostname for TLS resolver, and everything appeared to work OK.
IMHO, you missed a step.
First, you have to indicate a DNS server you want to use : example :
or, if you have a local, on pfSense's LAN or nearby, on it's WAN :
This could be a pi hole, a Windows DNS server or a local company DNS server : a DNS server that is under local or your control.
Then, instruct the resolver to forward to this IP :
If this DNS server, like 1.1.1.1, supports TLS you can also enable TLS Forwarding (the second check box).
To make sure all LAN devices use no use your defined DNS server, block all DNS traffic = port 53, UDP and TCP, for IPv4 and IPv6, and only allow LAN devices to contact pfSense (using port 53, UDP and TCP, for IPv4 and IPv6).
If needed, create also a pass rule to allow port 853 TCP to pfSense and afterwards a block rue for 853 TCP, any destination.
And check :
From now on, your LAN devices can only ask pfSense for DNS info, and pfSense, the resolver which now has become a 'dumb' forwarder, will forward the request to the IP you specified. It won't go anywhere else.
If the path to 1.1.1.1 is broken (blocked, shut down, whatever) then your pfSense (and LAN) DNS will fail.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan said in Confused about DNS setup:
First, you have to indicate a DNS server you want to use
OP needs to intentionally leave DNS Servers configuration blank in order to prove to corporate auditors that DNS resolution using the DNS Lookup tool then fails—but he's still getting an answer after doing that!
-
Ah ....
Putting the resolver in forwarding mode without any DNS servers listed on the General will fail :
so exit forwarding mode.
The resolver will then resolve as that is its job.
Stopping it then seems the only good solution (with the LAN(s) firewall rules mentioned earlier).
Leaving unbound (the resolver) running while blocking its outgoing traffic over WAN is ... strange/counter productive.What seems to works : set up a forwarding IP on the General settings page as shown above.
Now, the resolver can be put in forwarding mode without complaints.
Back again tho the general settings page, remove the DNS IP listens and save that page.
After the save, I checked, the resolver was still running.
But :
and on my PC :
C:\Users\Gauche>nslookup google.com Serveur : pfSense.bhf.tld Address: 2a01:cb19:dead:beef:92ec:77ff:fe29:392c *** pfSense.bhf.tld ne parvient pas à trouver google.com : Server failedThis seems to look ok - I managed to break DNS.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan said in Confused about DNS setup:
What seems to works : set up a forwarding IP on the General settings page as shown above.
The auditors may or may not allow a configuration change like this, since it's essentially a 'workaround' to pass the already-defined test—that being, DNS must fail when pfSense's configured system DNS is left blank. But that's all some good DNS Resolver behavior testing regardless.
I think I agree that if OP must continue using DNS Resolver/unbound, then more is needed to pass this test, likely (and most minimally) a firewall rule blocking
localhostlookups from egressing WAN outbound.
@g289519 How many interfaces are selected under
Services / DNS Resolver / General Settings / Outgoing Network Interfaces? Note thatLocalhostcan be unselected. Actually, that could be a potential fix here... -
@Gertjan said in Confused about DNS setup:
This seems to look ok - I managed to break DNS.
By the way, when I read this...
-
I have no way to test this. But what if you put PF Sense into fowarding mode and then turn off Resolver???
