DNS server priority

marcelloc

Do you need help creating rules or changing dns servers?

A Former User

@marcelloc:

Do you need help creating rules or changing dns servers?

under the general tab, right now, i have the openDNS servers and the local host address

127.0.0.1
208.67.222.222
208.67.220.220

with the help from you guys in this thread, i have been able to eliminate the ISP DNS Servers from that list.

it appears that is working w/o any issues.

the next step is to create rules, i suppose that is next, that will allow me to intercept DNS lookups.  that might not be the right word/phrase.

but what i would like to accomplish is to force a certain set of DNS servers to be used regardless of what the user has used on their device.

wallabybob

You could add the following firewall rule (On Firewall -> Rules, click on the LAN tab, click on the lowermost "+": Action=Block, Disabled='not ticked', Interface=LAN, Protocol=TCP/UDP, Source=any, Destination=( not='ticked', Type=LAN address,) Destination port range=DNS, Log='ticked')

This will block any attempt by a system connected to the LAN interface to access (by TCP or UDP) a DNS Server (port 53) on any IP address other than the pfSense LAN IP address and will log in the system log any such attempt.

If you have other firewall rules on the LAN interface you need to check that a rule higher up the list doesn't allow this rule to be bypassed. (Rules are processed from the top down, processing stops on the first match.)

The logging gives some information to help track down offenders.

A Former User

thanks, i will try this.

if i do this, can i disable the DNS forwarder option?

my LAN PCs are using 192.168.1.1 for the DNS server, which is what i want, but i didnt set that under the DHCP settings for the LAN interface.

is it pulling that by default?

also, i dont mind leaving the DNS forwarder option as is, i dont want to break anything, but i also dont see the need to have 127.0.0.1 as a DNS server.

thank you for your help.

wallabybob

@tomdlgns:

if i do this, can i disable the DNS forwarder option?

No because @tomdlgns:

my LAN PCs are using 192.168.1.1 for the DNS server, which is what i want,

@tomdlgns:

but i didnt set that under the DHCP settings for the LAN interface.

DNS entries on DHCP page will override default of pfSense xxx interface.

@tomdlgns:

i also dont see the need to have 127.0.0.1 as a DNS server.

Is there a problem with pfSense using DNS forwarder for name resolution?

Suppose you didn't have 127.0.0.1 on pfSense DNS list. This would mean all DNS requests from pfSense would go to OpenDNS. OpenDNS does not know how to resolve names of systems on your local network. Do you want pfSense applications to not have access to name resolutions of "local" systems.

How would pfSense

A Former User

@wallabybob:

@tomdlgns:

if i do this, can i disable the DNS forwarder option?

No because @tomdlgns:

my LAN PCs are using 192.168.1.1 for the DNS server, which is what i want,

@tomdlgns:

but i didnt set that under the DHCP settings for the LAN interface.

DNS entries on DHCP page will override default of pfSense xxx interface.

@tomdlgns:

i also dont see the need to have 127.0.0.1 as a DNS server.

Is there a problem with pfSense using DNS forwarder for name resolution?

Suppose you didn't have 127.0.0.1 on pfSense DNS list. This would mean all DNS requests from pfSense would go to OpenDNS. OpenDNS does not know how to resolve names of systems on your local network. Do you want pfSense applications to not have access to name resolutions of "local" systems.

How would pfSense

no, there is no problem with pfsense using 127.0.0.1 to lookup local name resolution.  if that is what it is doing, then i will leave it alone.

thank you.

i wasnt sure exactly what it did, which is why i asked.

if i create the rules posted above, pfsense will force openDNS servers regardless of what the user has set on their device, correct?

that is mainly what i am looking to do.

thanks.

wallabybob

@tomdlgns:

if i create the rules posted above, pfsense will force openDNS servers regardless of what the user has set on their device, correct?

It was a single rule and it needs to be correctly positioned with respect to other rules you might have.

Here's how the overall thing works: pfSense uses only OpenDNS and the pfSense DNS forwarder for name resolution. The firewall blocks any attempt by a system connected to the LAN interface to use a DNS server other than pfSense. Note the firewall doesn't "automatically" change an attempt by a LAN system to use (say) Google name server into an attempt to use OpenDNS. An attempt by a LAN client to use anything other than the pfSense box as their name server will be blocked generally resulting in some sort of error report which will probably send the user to tech support (you?) who will investigate and find they are attempting to break the usage rules and appropriate discipline can follow.

It might be possible to have a NAT type firewall rule (or rules)  to automatically change a "violating" DNS access into a conforming DNS access.

This configuration doesn't do anything to block access to name servers providing service on non-standard ports. If you find such name servers then you could add appropriate firewall rules.

A Former User

@wallabybob:

@tomdlgns:

if i create the rules posted above, pfsense will force openDNS servers regardless of what the user has set on their device, correct?

It was a single rule and it needs to be correctly positioned with respect to other rules you might have.

Here's how the overall thing works: pfSense uses only OpenDNS and the pfSense DNS forwarder for name resolution. The firewall blocks any attempt by a system connected to the LAN interface to use a DNS server other than pfSense. Note the firewall doesn't "automatically" change an attempt by a LAN system to use (say) Google name server into an attempt to use OpenDNS. An attempt by a LAN client to use anything other than the pfSense box as their name server will be blocked generally resulting in some sort of error report which will probably send the user to tech support (you?) who will investigate and find they are attempting to break the usage rules and appropriate discipline can follow.

It might be possible to have a NAT type firewall rule (or rules)  to automatically change a "violating" DNS access into a conforming DNS access.

This configuration doesn't do anything to block access to name servers providing service on non-standard ports. If you find such name servers then you could add appropriate firewall rules.

i am not sure how do it in pfsense, i was able to do it with my linksys router that had DD-WRT flashed on it.

basically, i could set anything i wanted on a network computer for the DNS servers…

i did several tests.  i used bogus IP addresses on the client PC and i was still able to browse the internet.

if i went to welcome.opendns.com i saw the message that confirmed i was using their servers.

the network i was running at the time was 192.168.1.0 /24 and this was the DNS i was using on the client PC: 192.168.250.3 (just something random to make sure the firewall was ignoring the DNS server i had in my network settings) and DNS still worked because it forced openDNS servers to be used.

i used this command in the dd-wrt router to intercept DNS that client machines were trying to use.

"Configure DNSMasq for OpenDNS DNS forwarding
Go to Services tab » Services sub tab » Services Management section » DNSMasq sub section
Enable both DNSMasq and Local DNS options
In the Additional DNSMasq Options text box, enter:
no-resolv
strict-order
server=208.67.222.222
server=208.67.222.220
Click Apply Settings

and

You can prevent users from using their own DNS servers (and hence get around content filtering) by intercepting DNS queries and forcing them to use the DNS servers you specify.
Go to Administration tab » Commands sub tab
In the Commands text box, enter:
iptables -t nat -A PREROUTING -i br0 -p udp –dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Click Save Firewall (note: your WAN interface will be restarted)"

just in case someone reads this later, these are NOT directions for the pfsense firewall. i just wanted to point out how i was intercepting DNS lookups with dd-wrt.

the rule that was posted above might work, but i'd like to confirm that i am on the same page before i create rules in pfsense.

marcelloc

Create a firewall rule on lan

Proto udp dest port 53

First, a rule to Allow dns to your server and then a rule That blocks any conection to port 53

The rule on lan That Allow internet access must be after dns rules.

wallabybob

@tomdlgns:

i used this command in the dd-wrt router to intercept DNS that client machines were trying to use.

I suspect an equivalent in pfSense would be to set up a port forward rule on the LAN interface as follows:
On Firewall -> NAT, Port Forward tab click "+" at the bottom to add the rule (default values not specified here): Interface=LAN, Protocol=TCP/UDP, Destination=(not box ticked, Type=(Address=LAN address, Destination port range from: DNS)), Redirect target IP = <pfsense lan="" ip="" address="">Click Save then go to Diagnostics -> States, click on Reset States tab, read the explanation then click on the Reset button and test the new port forward rule.

I haven't tested this. I expect it would forward any TCP/UDP access to port 53 (DNS) on an address other than the LAN IP address to the LAN IP address.</pfsense>