Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Lockdown

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alam3
      last edited by

      Hello,
      Is it possible to lockdown DNS calls to only those addresses outside one's organization (i.e. forwarders) one configures on the firewall?

      Thanks…

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can make firewall rules that block outgoing DNS requests to any servers except the ones you want, yes. It works just like firewalling any other service.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          dszp
          last edited by

          Additionally, if you really wanted to, you could create NAT rules such that all requests from the LAN to the DNS port (53) would be redirected to the DNS server of your choice (just one though), regardless of what server the client was trying to use. This would allow invalid configs to work but still only go to the allowed server. A similar setup (not specific to DNS but should work) is described in the pfSense book when discussing NAT.

          David Szpunar

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.