DNS forwarder/DHCP server lockdown needed



  • I use two pfsense boxes for DHCP (working as peers) and as DNS forwarders (using Carp VIPs as primary and the secondary pfsense box as the secondary dns).

    All the DNS and DHCP requests come from Vlans. The default route for the routers are vlan1. Currently I am allow all traffic (bad)

    I need to allow DHCP and DNS requests from the vlan interfaces but nothing else. (I have a client using a dns forwarder as a gateway to port scan the local network, grr)

    I'm pretty sure the DNS rule should look like;

    (For VLAN 101)

    UDP V101 net any any    destined to UDP 53  ALLOW

    but I'm not real sure how to allow DHCP

    maybe …  UDP 0.0.0.0 67-68    any 67-68

    I think I need only 2 rules in each VLAN's firewall, one for DNS and one for DHCP. Will I also need a rule for VRRP ? Am I overlooking anything ?

    Thanks in advance!



  • floating rules might help you with this. then you need only two rules, unless you use aliases..
    and dhcp discover user udp destination port 67



  • The minimum required DHCP rules are auto-added so unless you've added some very permissive rules, there's nothing to do there. It's impossible to use a DNS forwarder as a gateway to port scan a network, if you describe what you're seeing, someone may be able to help fix whatever it is you're seeing that you think is that.



  • Ok, here's some screen shots of NTOP. This seems to show the VIP (which is the address assigned as the primary DNS server to this network) going sequentially from port 1 up to 1022. This one stayed inside the 104 VLAN in what appears to me to be one of those viruses that finds a gateway and starts probing it/ messing with it.

    Not to pass blame, but to explain the current firewall settings…I didn't set up the DNS forwarders/DHCP servers and it appears the original guy had trouble because he has allow any any in floating rules, lan rules, a few misc pass rules in various vlans, so it appears there was trouble setting everything up and pass rules just kept getting added. Now it is wide open and passes anything.

    There is no NAT set up, so this router cant get clients to the Internet but it seems to be VLAN routing, and allowing itself to be used as a gateway to explore the local side of the network.



    Firewall log from primary DNS forward/DHCP  It looks like I have clients trying to gateway out this box.


Log in to reply