Best way to intercept DNS traffic?
-
What would be the best way to redirect all DNS traffic originating from LAN net to pfSense's own DNS resolver (e.g. as preventive measure against DNS high-jacking viruses, or when using a filtering service like OpenDNS)
One way that comes to mind would be to simply port fwd all dns traffic initiated from LAN net to 127.0.0.1:53 (assuming some resolver runs on pfSense itself)
Does anyone see any problems with this approach ?
-
Why not just block dns outbound completely for dns your not wanting to use. Be it only pfsense can query, or if you want your clients to use opendns directly. This way if you get something with some software that tries to use something else for dns, it won't work. And someone should complain - and you will find the software that is redirecting their dns traffic.
-
I know how to block DNS, but it's not what I asked.
The question was, and remains, about how to best redirect DNS traffic on pfSense. In particular, if the method I described above might cause any "unintended consequences" …
-
And what you ask is flawed logic IMHO - vs redirecting and allow a compromised system to query a different dns vs the compromised one. It would be better to BLOCK it from getting to where it wanted to go. So that user would be aware of the issue, and you can then identify the compromised system.
And what your asking is not really possible AFAIK - your not hitting your interfaces IP and saying hey go here instead (NAT). Your asking to route any dest IP on port X to new IP port X.
My point is even if it was possible to do it that way, the better way would be to block it. And then investigate users that fail because of the block.
-
Hi, i would like to reopen the thread by asking the same thing.
How would it be possible to redirect all dns traffic to pfsense only? (Something like the tomato firmware has as an option in dns configuration "Intercept DNS port (UDP 53)".
I know it could be done with proxy (but i don't need to setup squid proxy at the moment, just a simple pfsense setup) or as johnpoz wrote by blocking , but should i try and block every possible dns a computer client could try to manually insert?Thank you for any reply.
-
Check this thread :
http://forum.pfsense.org/index.php/topic,70.0.html
http://forum.pfsense.org/index.php/topic,60925.0.html
-
" but should i try and block every possible dns a computer client could try to manually insert?"
What? Dns is on port 53, mostly udp - but tcp can be used. Its 1 rule, you block outbound on 53 both udp/tcp, there you go - every single dns server on the planet is now blocked ;)
-
Nice idea.
Either use the approved DNS server (pfSense forwarder) or get blocked.
Like it.Firewall: Rules LAN (after anti-lockout rule and before other pass rules) Actions: block & log Proto: IPv4+6 TCP/UDP Src Addr: * Src Port: * Dst Addr: ! LAN address Dst Port: 53 (DNS) Gateway: * Queue: none Description: Block unapproved DNS servers rule
-
That is simple enough it should be a checkbox somewhere in the GUI!
-
The 'block all other DNS traffic' solution or the 'port forward DNS to localhost' solution?
Port forwarding looks like exactly what dhatz was after. I guess it comes down to what you want your users to see. By port forwarding users would not know they're connected to local DNS instead of their chosen external DNS server (if they chose it intentionally). Blocking other DNS servers lets them know that only local DNS service is allowed. Perhaps it depends what sort of users you have. ;)Steve
-
The 'block all other DNS traffic' solution or the 'port forward DNS to localhost' solution?
Port forwarding looks like exactly what dhatz was after. I guess it comes down to what you want your users to see. By port forwarding users would not know they're connected to local DNS instead of their chosen external DNS server (if they chose it intentionally). Blocking other DNS servers lets them know that only local DNS service is allowed. Perhaps it depends what sort of users you have. ;)Steve
This is the solution i needed i think! Not block the dns queries when someone manually changes the dns, but whatever dns manually inserted it should always use the pfsense dns without being cut off.
What would be the best configuration for this solution? simply forward the 53 port on the pfsense ip?Thank you.
-
The port forward setup is explained in the lined post, http://forum.pfsense.org/index.php/topic,60925.0.html, and the blog post linked there: http://www.interspective.net/2012/07/pfsense-ntp-and-network-sneakery.html
Looks simple enough, though I've never tried it. :)Steve
-
"when someone manually changes the dns"
In a corp setup - users should not even be able to change dns in the first place. And if they did, since in most corp setups only the proxy can go out anyway - what point would it be, they still are not going anywhere.
And again in a corp setup, it would be common practice to block all outbound traffic, even if you were allowing direct access outbound by user machines - not common enterprise/corp setup only specific ports would be allowed. Even if you allowed users direct access, and change their tcp settings and point to outside dns - what good would it do them? If they are not pointing to their AD dns, they are going to have issues, etc.
In a normal corp setup intercepting of dns seems pointless, in a home setup I don't see the point either? So this comes down to ma and pop type setups??? That are at a cross roads of moving into that next phase of their it controls?
Just trying to get a handle on what sort of setup would want to intercept dns traffic?
Can someone describe their IT control policies and sort of company/location where you would want to intercept dns vs just block it? I would assume a place that is looking to prevent outside dns would also be at a place where they are using a proxy for users to filter content? If that is the case then all traffic other than proxy outbound should be blocked, etc.
-
With the current trend for allowing users to bring their own devices and use them on your network I can see this may be useful. If only a few of those are using some manually configured DNS server it would make thing easier for everybody if that device continued to function without having to make any changes.
I agree it's perhaps a fairly rare occurrence. Having the option to run this setup or not can only be good thing, no?
Steve
-
Sure options are always a good thing, just trying to understand where redirection of 53 would be of use. Redirection has many uses.. Just trying to get my head around where you want to do it on dns?
Lets say it is BYOD - wouldn't they be dhcp to get on your network, so you would be giving them a dns server to use ;)
Letting users manually configure IPs seems like a really bad idea ;) If your letting the BYOD, but you don't want them using outside dns? Seems odd sort of setup to me..
-
Like I said, fairly rare!
I used to have use external DNS servers that could be reached from anywhere after having trouble with VPN connections on a laptop I had at the time. I'm not doing that now.
Users may be using an external DNS server for content filtering perhaps.
If you're going to allow BYOD (and that seems to be the done thing these days) you've got to expect and allow for all manner of weird configurations. If you can do this and people devices 'just work' that's one less support call you have to field. Is there a disadvantage to this setup?
Steve
-
I don't see a problem with redirecting or blocking external DNS servers since the one in pfSense seems to be working well and I have it pointed to upstream DNS servers that I trust. Having a radio-button for Open, Blocked or Redirected DNS still seems like a handy thing for new users and folks that don't want to be creating their own firewall rules.
The reason I'd consider blocking access to external DNS servers is the number of reports of problem DNS servers out there that could cause a user to connect to a machine other than the one they think they are connected to. I'm not sure I need this here since almost every machine is a Linux of BSD system but we do have one XP box and one Android device running. I'm not sure what our Dish Network satellite TV boxes are doing or our Sonos music system are using, they do use my DHCP server but I haven't looked at what they are actually connecting to. Guests get offered use of a spare Linux box or a dedicated guest WiFi access point on its own LAN so they aren't a threat to my systems.
-
Of course there are apps/devices that can benefit by submitting DNS query to specific server.
Take a Roku device for example. It uses the DHCP supplied DNS server (pfSense Forwarder), but also submits a www.google.com query to google TCP DNS 8.8.8.8. Which in my case at lease provides a different set of servers that ping in at 18 ms rather than 148 ms for the ones provided by Level 3 (pfSense DNS forwarder).
That's pretty wordy. May have to read through it a couple times.
There are lots of possibilities. To each there own.