Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Question about: Blocking DNS queries to external resolvers

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • pttP
      ptt Rebel Alliance
      last edited by

      According to the Docs: http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

      You can Block DNS requests to servers that are off your network, with 2 Rules, but i have this done with just 1 rule.

      Or is better to use the 2 rules as posted in the Docs ? Any expert comment is wellcome.
      Block_Ext_DNS.PNG
      Block_Ext_DNS.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Your one rule looks fine to me.

        In fact the two rules in the docs are slightly confusing. There would be no need to have the second, block all dns traffic, rule since all traffic is blocked by default anyway. However you would need it if you have the default, allow LAN to any, rule which isn't shown.

        I assume you still have the default allow lan to any rule below?

        Steve

        1 Reply Last reply Reply Quote 0
        • pttP
          ptt Rebel Alliance
          last edited by

          Yes, below of that rule is the "LAN to ANY" rule with the GW changed to my "Load Balance / Fail-Over" GW Group. I'm only Blocking external DNS, beside this all other "outbound" traffic is allowed.

          Just curious about what is the "best" way / aproach to achieve this. If both ways are equal on eficiency terms. I' m not a Networking expert, so want to know the experts opinion about this.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            You need to be aware that traffic routed to a load balanced gateway cannot use the system routing table, it all goes to the gateway. This means that if you have any other interfaces, OPT1 say, you won't be able access it from lan. If you need to do that you need a rule to allow it above the default any rule.

            I'm sure there are many way to acheive external DNS blocking. I'm far from an expert myself, I await any other views.  :)

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.