what is the correct way to do DNS rules?
-
I am confusing myself on this. Which of these is correct?
https://ibb.co/Wvd8mFCR
https://ibb.co/N6kxJ01W
Also, how do you get image to show? I can't get it to work.
-
@amrogers3 just upload the image? Not sure what your asking to do with dns - redirect it? You have a rule - did you actually create the port forward?
But your rule to actually redirect anything is a reject, and it should above where your allow to loopback is.. So a reject wouldn't ever redirect anything. So not sure what your actually wanting to do.
Here is how you redirect dns.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
-
@johnpoz
Thank you for the question. I fumbled up the order of rules for sure. I am trying to redirect DNS to local interface and block DNS over 853 and 443 so that all requests go through pfSense. My understanding is that this is necessary for pfBlocker to inspect all the queries.Yes on the port forward and the screenshot is below.
- Is there an example of what the proper DNS firewall rule set should look like? or firewall rules set in general?
Guest
LAN
-
@amrogers3 “proper” is extremely subjective.
For DNS you may have also found https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html.
At first glance your rules seem ok except the LAN rule to block DNS to !LAN is above the allow to localhost.
-
except the LAN rule to block DNS to !LAN is above the allow to localhost.
I would make those with Filter rule association "pass", no need for an extra firewall rule.
-
@Bob.Dig
So you would do something like this and leave it at the same place in the list?
-
@amrogers3 I meant the Port Forward.
-
Perhaps my thread from long ago will help. I silently redirect outbound DNS to PiHole.
https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1663853296484
-
@Bob.Dig
I am not following, so delete that rule above? -
@amrogers3 Is it you do not understand the order of rules? Rules are evaluated top down, first to trigger wins and no other rules are evaluated.
If you create a port forward that says any NOT, ie ! to the lan address send to 127.0.0.1
This will be evaluated first, but then you need a rule to allow that. If we go top down first rule that triggers to 53 to ip 127.0.0.1 you are rejecting it..
When you create the port forward it should create the rule for you.. See here, I created the port forward, it created the allow rule for 127.0.0.1 to 53.
Now lets create some rules to go along with that and put them in the right order.
I want a rule that says hey you talking to pfsense address already for dns - put this above the allow rule to 127.0.0.1 (rule 1)
My allow rule to 127.0.0.1 (rule 2)
And while not really needed, since your nat should redirect any dns to anything other than your lan address, ie the ! lan address in your port forward you can put in a block all dns. (rule 3)
So lets walk thru some examples if I ask pfsense for dns to its lan address, rule 1 would allow this. The port forward wouldn't trigger ever since I am actually asking the lan address, not ! lan address
If I ask say 8.8.8.8, rule 1 would not match, so lets check next - my redirect will be sending the traffic to 127.0.0.1 because 8.8.8.8 is not my lan address, ie the source ! lan address in my port forward.
So this rule 2 allows that to happen, and as you can see if I ask a direct query to 8.8.8.8 it has no clue about anything on my home.arpa network locally. But unbound does.
There is no possible way that googledns 8.8.8.8 would know the ip for nas.home.arpa, and it sure couldn't answer in less than 1 ms, see the query time listed. So clearly my query to 8.8.8.8 was redirected to unbound.
Also notice now that count on my redirect allow rule has gone up.
You don't really need that block rule - but sure its never going to trigger unless your port forward fails.
You can then put in other blocks to say dot (853) if you want - but clients almost never use dot, they use doh which is over 443.. It hides in normal https traffic so it is harder to filter.
But your rules need to be in the proper order to work. Top down, first to trigger wins, no other rules evaluated.
Keep in mind that port forwards are evaluated before firewall rules.
Hope that clears it up.
-
@johnpoz said in what is the correct way to do DNS rules?:
… but clients almost never use dot, they use doh which is over 443.. It hides in normal https traffic so it is harder to filter.
Any tips here if it’s possible other than by configuring the clients?
-
@q54e3w there are loads of lists of known doh servers that you can use to block access. Most clients would for sure tend to use the well known ones.. So for typical stuff like browsers and such that love to default to using doh, those can work. Pretty sure pfblocker has a block doh list out of the box.
Best to turn it off in your app for sure..
What can be tricky is more in a work sort of setup, where users could point to god knows what as their doh server to circumvent say work dns filtering.
-
@johnpoz said in what is the correct way to do DNS rules?:
Pretty sure pfblocker has a block doh list out of the box.
Yes. One needs to select all the "DoH/DoT/DoQ Blocking List" servers:
-
@johnpoz
Fantastic examples and explanation John, thank you very much.
I was overthinking it and missed some core concepts about port forwarding and the firewall rules.
Anyway, thanks again, appreciate you taking the time to write all that with the examples. This post was
very helpful!! Thank you
Does it matter if NTP is above DNS? I can't think of a case how it should matter if NTP is before or after.- antilock out rule
- NTP
- DNS
- allow rules
- block everything else rule
-
@amrogers3 it would matter where it is in the stack if you had something that blocked ntp, or blocked all etc..
Just remember top down, first to match/trigger wins, evaluation stops.
So if you have a question if the order of your rules is correct.. Just run down your rule in your head with the traffic example - which is the first rule to match.
Keep in mind also if traffic gets to the end without matching anything - then it would be denied.. There is a hidden rule on all interfaces for deny.. If you do not actually allow the traffic with a rule and it gets to the end it will be blocked.
-
@amrogers3 Just out of curiosity on my part - your lan to http rule you show there - 2.7GB of traffic - just curious what your talking to over 80 that would be that much traffic, I assume its something else on your local side networks (ie another segment).. Since pretty much everything on the internet these days is encrypted (443)..
How long has that counter been running as well - one thing if 3 month for that much traffic, and another if 3 hours ;)
I might put in a rule for 80 and 443 vs my just any any rule - to get an idea how much actual 80 traffic is flowing.. I would think it just a tiny fraction of overall traffic.
-
@johnpoz
Appreciate the question. Looks like some funny business is going on here.
I rebooted a few days ago and it looks like a reboot resets that counter. So therefore, that traffic is a lot for only a few days. It appears to be one site, 65.254.248.204 which comes back to Newfold Digital, Inc..
The state table shows an established connection.
Curl shows code 462 which is weird. Apologies for the large pics, I can't modify the size here.
I started digging into it and only got this far before the state terminated. So I was unable to see what process was associated with port 80. I am going to keep my eye on this. Definitely weird.
There is a ton of 80 banging on the WAN. 114.22.17.129 is not my real WAN IP.
-
@amrogers3 said in what is the correct way to do DNS rules?:
There is a ton of 80 banging on the WAN. 114.22.17.129 is not my real WAN IP.
yeah to be expected.. There will be a lot of stuff banging on your front door, 24/7/365 - its the internet ;)
So I had broken out 80 so I could see - and I have more than I would expect as well - but mine is all iot devices, alexas, firestick, tv - my guess is some sort of internet check, ie them checking if they can talk to the internet. My alexas for example are talking to 80 to an amazon IP.
That company owns a lot of brands.
https://www.newfold.com/brands
