How to Block DNS Requests from LAN Devices?



  • I would like to prevent any computer clients on my LAN from using DNS's that they may specify and instead use only the ones I have configured on my pfSense router, even if the client has requested a different one.  Does pfSense allow this functionality? It would seem to me to be an essential security feature that should be included with Dynamic DNS.  I am using Internet Guide on DynDNS to filter out categories of websites, but if I change the DNS server on a local machine it overrides the DNS servers set in pfSense. Can I somehow force all requests to only go through the DNS servers that I specify on my pfSense router?

    ???


  • Rebel Alliance

    If you are using pfSense as DNS Server for your LAN (DNS Forwarder enabled), just create a FW rule Blocking TCP/UDP port 53 !LAN Address



  • Could you please explain how to do that (assume nothing)?


  • Rebel Alliance

    Is the pfSense the LAN users DNS ?

    Please post a screenshot of your FW LAN rules



  • Yes (if I understand you correctly).  I have not created any rules that were not present in the default settings.


  • Rebel Alliance

    Please post a Screenshot of your LAN Firewall Rules (you can attach the img in "aditional options")


  • Rebel Alliance

    Just create a rule as the ones from the attached screenshot, and "put" above any "pass" rule.

    Is really difficult to help you without knowing (see) your FW rules.



  • Rebel Alliance

    Ok, the rule from my previous post should work, just make sure that it is above the Default allow LAN to any rule



  • Thanks–I'll give it a try.



  • Oops!  The rule appears to work–with one major problem:  I am assigning fixed IPs to my client computers, so I must specify my pfSense router address in each client--the rule also appears to block this (local LAN) address and, as a result, my clients can't talk to the router!  Is there a way I can make an exception to the rule so it does not block the pfSense router address?

    :(


  • Rebel Alliance Global Moderator

    That rule posted would only block access to tcp/udp 53 that is NOT your pfsense lan address.

    It would not block access to your pfsense lan address on 53, and then your next default allow rule would allow access to everything that is not based on 53 port

    You setting static IPs on devices has nothing to do with anything.

    Post your lan rulesetup up again.  So we can see what you did wrong.



  • Ah, I tried the setup quickly, early this morning, when I was in a rush.  I retried it again and discovered that I had neglected to configure the "destination" changes in the rule this morning.  It appears to be working now–I'll find out if it still works the next time I reboot pfSense.  Thanks ptt and johnpoz.

    :)



  • @Nonsense:

    Ah, I tried the setup quickly, early this morning, when I was in a rush.  I retried it again and discovered that I had neglected to configure the "destination" changes in the rule this morning.  It appears to be working now–I'll find out if it still works the next time I reboot pfSense.  Thanks ptt and johnpoz.

    :)

    Bad network admin.  Fixed/hardcoded IPs on clients are bad juju.  pfSense can do DHCP reservations - use them.  DHCP makes your life much easier.  Why do you want your life to be difficult?  ;D


Locked