NAT for capturing DNS requests?

  • I just got done implementing this dodge to capture NTP requests and causing them all to be fielded by the pfsense box:

    pfSense NTP and network sneakery

    Seems like it works pretty well.

    I was wondering if I should do the same thing with DNS queries? At first I thought it was good enough to put the pfsense box IP address first in my lan windows boxes' DNS list so they would just go there directly. Strangely though, I just got some log entries saying they had gone out to get their DNS request serviced by opendns (which is what I had later in their list). I don't know why they did, but I am wondering if I should just let them anyway.

    The "example basic configuration" mentions this but does not fill out the picture; for example the above scenario is not mentioned.

  • That exact scenario can be done with DNS as well, just change port 123 to 53 and TCP/UDP rather than UDP.

  • LAYER 8 Global Moderator

    If you don't want them going to opendns - why did you put it in their list??  Makes no sense??

  • Good question. Since my pfsense box is "in development" and it is being placed in a system that is in production, and since I am not always there to take care of things, I wanted the ability for my users to simply remove the pfsense box by pulling the cables from it - with at most a little help over the phone, and still be able to operate. (And no, I do not want to be able log in to and to fiddle with the system remotely due to security risks.) So opendns being listed there is a backup provision.

    In other words, the pfsense box did not replace the old Cisco router in this system, but was simply added in front of it. It can be pulled out again if needed.

  • LAYER 8 Global Moderator

    Ok - again why did you put it in their list.. If your going to pull pfsense out of the path if something fails, then they would have to be either changing their gateway/network settings by hand or getting new settings via dhcp.

  • They have static addresses.

    I know this is old-fashioned, but that's just me I suppose. I might have gone with dhcp if I had forseen this difficulty. I still might. So it goes…

    Oh, as to changing that stuff by hand, that's just what I don't want my users doing. They are very much NOT computer people.

  • LAYER 8 Global Moderator

    So how are they going to access the internet if you take pfsense out of the path if they are setup static.. Your saying your using the same gateway IP?  How are you doing that?

  • It originally was like this:

    Modem –- Cisco router --- Windows boxes

    It's now like this:

    Modem --- pfsense box --- Cisco router --- Windows boxes

    In the current setup the pfsense box gets its address from the modem, and the Cisco router gets its address from the pfsense box (dhcp I mean). If I remove the pfsense box the Cisco rounter will just get its address from the modem. No changes either way, in the Windows boxes.

  • LAYER 8 Global Moderator

    So your double natting?  What is pfsense buying you in this configuration other than an extra nat and something more to config?  That setup might be ok to verify pfsense gets and IP from your isp, etc.  That should be like that all of 5 minutes, then you take your other router out of the picture.

  • I tried to figure out what is wrong with double NAT and still don't see it. Perhaps there would be a problem if I had a server or ran games, but I don't. I have a few old boxes running Windows XP that I am trying to keep alive.

    To do what you suggest (the "clean" solution - I've already thought of it) I would first have to go out and buy a switch, which seems a little silly since I already have that on the Cisco router. Not only that. If I had to remove the pfsense box for whatever reason (it's in development after all) it would require my users to dig out the old router and re-cable it, a lot more difficult than moving a single cable as in the current setup. That's assuming they don't just cable the switch to the modem, leaving the network with no firewall at all!

    So the "clean" solution is actually substandard at the moment. After I get up to speed on pfsense and have some confidence in the configuration, hardware, etc. then I may go ahead and change over.

    I brought pfsense in because I wanted to learn it, and because my old crappy network needs a security boost.

Log in to reply