Question about: Blocking DNS queries to external resolvers


  • Rebel Alliance

    According to the Docs: http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

    You can Block DNS requests to servers that are off your network, with 2 Rules, but i have this done with just 1 rule.

    Or is better to use the 2 rules as posted in the Docs ? Any expert comment is wellcome.


  • Netgate Administrator

    Your one rule looks fine to me.

    In fact the two rules in the docs are slightly confusing. There would be no need to have the second, block all dns traffic, rule since all traffic is blocked by default anyway. However you would need it if you have the default, allow LAN to any, rule which isn't shown.

    I assume you still have the default allow lan to any rule below?

    Steve


  • Rebel Alliance

    Yes, below of that rule is the "LAN to ANY" rule with the GW changed to my "Load Balance / Fail-Over" GW Group. I'm only Blocking external DNS, beside this all other "outbound" traffic is allowed.

    Just curious about what is the "best" way / aproach to achieve this. If both ways are equal on eficiency terms. I' m not a Networking expert, so want to know the experts opinion about this.


  • Netgate Administrator

    You need to be aware that traffic routed to a load balanced gateway cannot use the system routing table, it all goes to the gateway. This means that if you have any other interfaces, OPT1 say, you won't be able access it from lan. If you need to do that you need a rule to allow it above the default any rule.

    I'm sure there are many way to acheive external DNS blocking. I'm far from an expert myself, I await any other views.  :)

    Steve


Log in to reply