Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Prevent external queries to dns

    DHCP and DNS
    3
    11
    2956
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rbutler last edited by

      I am trying to find a way to prevent my pfsense firewall from replying to dns queries on the wan interface.  I added a rule to block port 53 udp/tcp on the wan interface but it still answers. any advice would be helpful

      1 Reply Last reply Reply Quote 0
      • ptt
        ptt Rebel Alliance last edited by

        Are you sure ? How you have checked/determined that ?

        Can you attach a screenshot of your WAN FW rules

        1 Reply Last reply Reply Quote 0
        • M
          mendilli last edited by

          if you just want your clients to use only your dns servers specified in pfsense;
          in system->general tab uncheck(disable) "Allow DNS server list to be overridden by DHCP/PPP on WAN" option and that is it

          1 Reply Last reply Reply Quote 0
          • ptt
            ptt Rebel Alliance last edited by

            @mendilli:

            if you just want your clients to use only your dns servers specified in pfsense;
            in system->general tab uncheck(disable) "Allow DNS server list to be overridden by DHCP/PPP on WAN" option and that is it

            Are you sure about that  ?

            How the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option  will prevent the FW to answer DNS queries on the WAN interface ?

            @rbutler:

            I am trying to find a way to prevent my pfsense firewall from replying to dns queries on the wan interface.  I added a rule to block port 53 udp/tcp on the wan interface but it still answers. any advice would be helpful

            1 Reply Last reply Reply Quote 0
            • R
              rbutler last edited by

              Thanks for the reply.  this is not for clients on my lan network but is for computers on the internet. If someone does a dns query using the ip of the wan interface of pfsense as the dns server they get a response. I want to prevent this. I have attached a screenshot of the wan firewall rule I created to block request to port 53.


              1 Reply Last reply Reply Quote 0
              • R
                rbutler last edited by

                @ptt:

                Are you sure ? How you have checked/determined that ?

                Can you attach a screenshot of your WAN FW rules

                here is a screenshot of the firewall rules for the wan interface


                1 Reply Last reply Reply Quote 0
                • ptt
                  ptt Rebel Alliance last edited by

                  How are you checking/testing ?

                  What is the purpose of the "total bandwith up/down" Rule ?

                  1 Reply Last reply Reply Quote 0
                  • R
                    rbutler last edited by

                    @ptt:

                    How are you checking/testing ?

                    What is the purpose of the "total bandwith up/down" Rule ?

                    when off site at home I do an nslookup querying the pfsense wan interface and get a reply.

                    1 Reply Last reply Reply Quote 0
                    • R
                      rbutler last edited by

                      @ptt:

                      How are you checking/testing ?

                      What is the purpose of the "total bandwith up/down" Rule ?

                      it was used for bandwidth limiter but it currently not used.

                      1 Reply Last reply Reply Quote 0
                      • ptt
                        ptt Rebel Alliance last edited by

                        Your "Block" rule is wrong….

                        The Source port should be "Any"  not 53...  Only the "Dest" port should be 53  :)

                        Also, the "total bandwith up/down" Rule, allows traffic from "Any" to "Any".... get rid of that rule  ;)

                        1 Reply Last reply Reply Quote 0
                        • R
                          rbutler last edited by

                          @ptt:

                          Your "Block" rule is wrong….

                          The Source port should be "Any"  not 53...  Only the "Dest" port should be 53  :)

                          Also, the "total bandwith up/down" Rule, allows traffic from "Any" to "Any".... get rid of that rule  ;)

                          thanks for the response.  I did change the source port to any and removed the bandwith up down rule. the up/down rule was to provide a rule for a limiter ( which I guess I do not have configured correctly). Once I removed the bandwith up/down rule dns responses were blocked correctly on the wan interface and I don't need the port 53 rule this was a total meatware problem.  :o

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy