Leaking Internal Traffic for Weird Kindle DNS



  • I love my new Kindle 3 (wi-fi version) but could kill the developers of the network stack. This blog post, http://www.thedave.ca/geek/kindle-3/, summarizes issue of the Kindle sending DNS inquiries to the DHCP returned value, but sending them to the default gateway address.

    In my case, I have a separate DNS server internally (192.168.10.100), and the Kindle sends lookups to it via the LAN interface of my pfSense box (192.168.10.1). The concerning part is that pfSense NATs the Kindle's address (192.168.10.200), but sends the packet out the WAN interface with the destination (DNS) not NATted. What is seen going out the WAN is:

    src: 11.11.11.1 (pub IP)
    dst: 192.168.10.100
    port: 53

    The ISP router drops the packet, but it really shouldn't have been routed that way at all.

    I know that the Kindle should realize the DNS server is local to the network, but my question is why pfSense doesn't send back a redirect to the host, or at least drop the packet and not send it out the WAN interface? Is there a rule that can be added to ensure a redirect is sent back or at least forward the packet to the internal host?


Log in to reply