PfSense 2.0 RC3 (x64) blocking legitimate DNS traffic?



  • I don't know how far back this goes, but I know for at least the last week I've had to add rules to my firewall to allow port 53 responses from the OpenDNS resolvers (208.67.222.222 and 208.67.220.220). While these responses were being blocked, I wasn't noticing any abnormal network issues, however, I think I know why pfSense is blocking some port 53 responses from OpenDNS. And it's EDNS. I think pfSense is assuming a maximum DNS message length of 512 bytes and is blocking longer DNS packets. This will need to be addressed though because OpenDNS and Google have announced a "Global Internet Speedup Initiative". http://www.opendns.com/about/announcements/229/



  • Packet size has no relation to whether reply DNS traffic is permitted. Anything that comes back as a response flipping the original source and dest IPs and ports will be allowed back through the original state as long as that state still exists.



  • Hmm. Beyond whitelisting the resolver IPs, what else can I do to ensure the statefulness of the packets?  And a side note, a friend of mine who uses m0n0wall says he has the same problem, but only with OpenDNS as well.



  • m0n0wall has an older version of dnsmasq and it's probably related to that if it's the DNS forwarder. I don't think ipfilter has any intelligence with DNS response sizes either.

    You'd have to see if the state is indeed still there, and check the response to see if it's sane and should match that state.


Log in to reply