Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense DNS Open Relay?

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 4 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jcalvert
      last edited by

      We just had a scan done by our provider and is reporting that what appears the PFSenses on our network are acting as a DNS Open Relay?

      I do not have any DNS Services running, I am only using assigned DNS Servers from our provider in the General Setup and on the OPT1 Subnet DHCP settings

      Any ideas?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Open resolver, yes if you have the DNS forwarder on. Disable it if you don't use it, or if you do, make sure your firewall rules only allow your trusted networks to resolve via it.

        1 Reply Last reply Reply Quote 0
        • stan-qazS
          stan-qaz
          last edited by

          I'm looking at this page: pfsense/services_dnsmasq.php in my v2.1 pfSense.

          It looks like I need the DNS forwarder for my LAN since I want to resolve local names from both DHCP assignments and host overrides on my local systems.

          In the section below I have "LAN" and "Localhost" selected.

          Interface IPs used by the DNS Forwarder for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

          Then in the section below I have "Strict Interface Binding" checked.

          If this option is set, the DNS forwarder will only bind to the interfaces containing the IP addresses selected above, rather than binding to all interfaces and discarding queries to other addresses.

          I thought this would make the internal DNS server invisible to the outside world. If it isn't doing that I need to figure out how to set up firewall rules that will hide the internal DNS server from the WAN interface without messing up pfSense's access to the configured external DNS servers or keeping me from setting and using a different DNS on a couple of my test machines on my LAN.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            As long as you don't have firewall rules on WAN permitting DNS traffic to any of the IPs where you have the DNS forwarder listening, you're fine. You can test here: http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl

            1 Reply Last reply Reply Quote 0
            • K
              kejianshi
              last edited by

              8.8.8.8 is open

              I am closed.  Well - Thats a plus.

              1 Reply Last reply Reply Quote 0
              • stan-qazS
                stan-qaz
                last edited by

                I didn't have any luck getting results back from that test so I tried Google and found one that worked for me.

                http://www.thinkbroadband.com/tools/dnscheck.html

                Thanks!

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  Success! We detected your IP address as 198.81.129.107 and did not find an open DNS resolver running.

                  That one is good too (-:

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.