Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Secure DNS Setup

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      logger
      last edited by

      Hello everyone

      Forgive me if this sounds like a stupid question but i would like to setup DNS securely on my PFsense box. I basically have a pfsense box bridging a adsl modem . On the Lan side i have hosts that just browse the internet ie i386 boxes/androids/ipads via http/s. All settings are by default on my pf box excluding snort installation.

      Originally i enabled the firewall on Pf sense box as so

      Lan Tab

      Webconfigurator rule
      pass proto: tcp/udp source: Lan Net port:any destination:any port:53
      pass proto:tcp/udp  source: Lan Net port:and destination:any port: 443
      pass proto:tcp/udp  source: Lan Net port:any destination:any port:80

      Wan Tab

      block proto:any  source: rfc 1918 networks port:any destination :any port: any
      block proto:any  source: reserved/not assigned by iana port:any destination:any portany
      block proto:any  source: any port:any destination:any port:any

      Is there a more secure way of doing this? as so to only allow DNS requests out bound from the hosts? as opposed to just creating rules that let information on the ports that DNS and http/s protocols use?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        What??

        For starters why do you think you lan clients need to go outbound on dns?  Don't they ask pfsense for dns?  This is the default setup.  You don't need that dst any rule for 53 there.  lan clients just need to be able to talk to pfsense for dns.  Then pfsense goes and asks your isp dns, or what you setup up for it to go ask.  This is the dns forwarder service (dnsmasq)

        Your not allowing any unsolicited inbound traffic, and you only let your clients out on http/s ???  That is kind of bare freaking min to allow them to use the web.  And for sure is not going to allow them to do much else - for example they could not send email from a client that uses say tls or just plain direct smtp since those ports are not open.

        They can not ftp or ssh outbound..  Not exactly what you want to lock down more?  You could have them go through a proxy to gain access if want.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • L
          logger
          last edited by

          pass proto: tcp/udp source: Lan Net port:any destination:any port:53
          pass proto:tcp/udp  source: Lan Net port:and destination:any port: 443

          With out the above rules disabled pages will not resolve on any of the ipads :( When i block these rules and use darkstat to monitor the ipads ip addresses i see them trying to access wan side destination ips on port 443?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Well yeah - lots of clients are going to access outside addresses on 443, that is SSL port - kind of need that to access any secured site on the internet.  https://www.gmail.com for example.  Lots of apps use 443 to talk to their servers to get info, updates, etc.

            Your going to have to allow 443 for general internet use.  But you don't need to allow Any on 53 - since all clients on your network should be asking your pfsense box for dns.  This is default configuration.

            So you limit 53 to only your pfsense lan address, and you can change your 443 rule to tcp only - I know of NO standard internet applications that use udp 443.  And you need a rule to allow tcp 80 to any as well for normal just plain jane internet access.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • L
              logger
              last edited by

              Hi JohnPoz , everyone. Thanks for your help so far. When i delete the the port 53 outbound rule i cannot resolve hosts even though i have got "Enable Dns Forwarder" ticked under Services -> "Dns Forwarder". Under "System"->"General Setup" i have correct servers listed in "DNS Server"

              Can anyone help?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                you have to allow 53 to your pfsense lan IP for clients to be able to talk to pfsense for dns..

                Default rule allows all outbound traffic, if your going to restrict it - then you have to allow for atleast your clients to talk to pfsense on its IP on tcp/udp 53 so they can ask its dns forwarder to go lookup google.com for example

                Then the client will go to www.google.com on tcp 80 or 443 which you allow any on.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.