Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT for capturing DNS requests?

    Scheduled Pinned Locked Moved NAT
    10 Posts 3 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Paul47
      last edited by

      I just got done implementing this dodge to capture NTP requests and causing them all to be fielded by the pfsense box:

      pfSense NTP and network sneakery

      Seems like it works pretty well.

      I was wondering if I should do the same thing with DNS queries? At first I thought it was good enough to put the pfsense box IP address first in my lan windows boxes' DNS list so they would just go there directly. Strangely though, I just got some log entries saying they had gone out to get their DNS request serviced by opendns (which is what I had later in their list). I don't know why they did, but I am wondering if I should just let them anyway.

      The "example basic configuration" mentions this but does not fill out the picture; for example the above scenario is not mentioned.
      http://doc.pfsense.org/index.php/Example_basic_configuration

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That exact scenario can be done with DNS as well, just change port 123 to 53 and TCP/UDP rather than UDP.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          If you don't want them going to opendns - why did you put it in their list??  Makes no sense??

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            Paul47
            last edited by

            Good question. Since my pfsense box is "in development" and it is being placed in a system that is in production, and since I am not always there to take care of things, I wanted the ability for my users to simply remove the pfsense box by pulling the cables from it - with at most a little help over the phone, and still be able to operate. (And no, I do not want to be able log in to and to fiddle with the system remotely due to security risks.) So opendns being listed there is a backup provision.

            In other words, the pfsense box did not replace the old Cisco router in this system, but was simply added in front of it. It can be pulled out again if needed.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Ok - again why did you put it in their list.. If your going to pull pfsense out of the path if something fails, then they would have to be either changing their gateway/network settings by hand or getting new settings via dhcp.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • P
                Paul47
                last edited by

                They have static addresses.

                I know this is old-fashioned, but that's just me I suppose. I might have gone with dhcp if I had forseen this difficulty. I still might. So it goes…

                Oh, as to changing that stuff by hand, that's just what I don't want my users doing. They are very much NOT computer people.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  So how are they going to access the internet if you take pfsense out of the path if they are setup static.. Your saying your using the same gateway IP?  How are you doing that?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • P
                    Paul47
                    last edited by

                    It originally was like this:

                    Modem –- Cisco router --- Windows boxes

                    It's now like this:

                    Modem --- pfsense box --- Cisco router --- Windows boxes

                    In the current setup the pfsense box gets its address from the modem, and the Cisco router gets its address from the pfsense box (dhcp I mean). If I remove the pfsense box the Cisco rounter will just get its address from the modem. No changes either way, in the Windows boxes.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      So your double natting?  What is pfsense buying you in this configuration other than an extra nat and something more to config?  That setup might be ok to verify pfsense gets and IP from your isp, etc.  That should be like that all of 5 minutes, then you take your other router out of the picture.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • P
                        Paul47
                        last edited by

                        I tried to figure out what is wrong with double NAT and still don't see it. Perhaps there would be a problem if I had a server or ran games, but I don't. I have a few old boxes running Windows XP that I am trying to keep alive.

                        To do what you suggest (the "clean" solution - I've already thought of it) I would first have to go out and buy a switch, which seems a little silly since I already have that on the Cisco router. Not only that. If I had to remove the pfsense box for whatever reason (it's in development after all) it would require my users to dig out the old router and re-cable it, a lot more difficult than moving a single cable as in the current setup. That's assuming they don't just cable the switch to the modem, leaving the network with no firewall at all!

                        So the "clean" solution is actually substandard at the moment. After I get up to speed on pfsense and have some confidence in the configuration, hardware, etc. then I may go ahead and change over.

                        I brought pfsense in because I wanted to learn it, and because my old crappy network needs a security boost.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.