FW: Enable DNS only to ISP, or to any address?

  • I know DNS uses a search hierarchy tree, but I don't know if the ISP DNS server itself does this upstream searching for clients on our LAN, or if the clients themselves have to contact the upstream DNS servers themselves to find an unusual address.

    Basically, I want to know, is this all I need for my firewall config?

    Firewall, LAN tab
    Allow TCP/UDP, Any port, Any Address  to    port 53, (ISP's DNS Server Address)

    Or do I have to do the following for DNS to work properly?

    Firewall, LAN tab
    Allow  TCP/UDP, Any port, Any Address to port 53, Any address

    If it's the second, then it seems trivial for anyone to set up a home RDP or proxy-bypass that sits on port 53, and get around organizational firewall restrictions that require everyone to use a web proxy.

  • LAYER 8 Global Moderator

    The dns server does the recursive lookup.. That is why they are called recursive name servers ;)

    Normally you would not even allow them to talk to your isp dns, you let them talk to pfsense for dns, pfsense talks to your isp name server or opendns or googledns, etc. what ever you setup pfsense to use.

    You do understand its trivial to just bounce off your proxy for openvpn access to bypass your restrictions right?

Log in to reply