Prevent external queries to dns



  • I am trying to find a way to prevent my pfsense firewall from replying to dns queries on the wan interface.  I added a rule to block port 53 udp/tcp on the wan interface but it still answers. any advice would be helpful


  • Rebel Alliance

    Are you sure ? How you have checked/determined that ?

    Can you attach a screenshot of your WAN FW rules



  • if you just want your clients to use only your dns servers specified in pfsense;
    in system->general tab uncheck(disable) "Allow DNS server list to be overridden by DHCP/PPP on WAN" option and that is it


  • Rebel Alliance

    @mendilli:

    if you just want your clients to use only your dns servers specified in pfsense;
    in system->general tab uncheck(disable) "Allow DNS server list to be overridden by DHCP/PPP on WAN" option and that is it

    Are you sure about that  ?

    How the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option  will prevent the FW to answer DNS queries on the WAN interface ?

    @rbutler:

    I am trying to find a way to prevent my pfsense firewall from replying to dns queries on the wan interface.  I added a rule to block port 53 udp/tcp on the wan interface but it still answers. any advice would be helpful



  • Thanks for the reply.  this is not for clients on my lan network but is for computers on the internet. If someone does a dns query using the ip of the wan interface of pfsense as the dns server they get a response. I want to prevent this. I have attached a screenshot of the wan firewall rule I created to block request to port 53.




  • @ptt:

    Are you sure ? How you have checked/determined that ?

    Can you attach a screenshot of your WAN FW rules

    here is a screenshot of the firewall rules for the wan interface



  • Rebel Alliance

    How are you checking/testing ?

    What is the purpose of the "total bandwith up/down" Rule ?



  • @ptt:

    How are you checking/testing ?

    What is the purpose of the "total bandwith up/down" Rule ?

    when off site at home I do an nslookup querying the pfsense wan interface and get a reply.



  • @ptt:

    How are you checking/testing ?

    What is the purpose of the "total bandwith up/down" Rule ?

    it was used for bandwidth limiter but it currently not used.


  • Rebel Alliance

    Your "Block" rule is wrong….

    The Source port should be "Any"  not 53...  Only the "Dest" port should be 53  :)

    Also, the "total bandwith up/down" Rule, allows traffic from "Any" to "Any".... get rid of that rule  ;)



  • @ptt:

    Your "Block" rule is wrong….

    The Source port should be "Any"  not 53...  Only the "Dest" port should be 53  :)

    Also, the "total bandwith up/down" Rule, allows traffic from "Any" to "Any".... get rid of that rule  ;)

    thanks for the response.  I did change the source port to any and removed the bandwith up down rule. the up/down rule was to provide a rule for a limiter ( which I guess I do not have configured correctly). Once I removed the bandwith up/down rule dns responses were blocked correctly on the wan interface and I don't need the port 53 rule this was a total meatware problem.  :o


Log in to reply