Prevent external queries to dns
-
I am trying to find a way to prevent my pfsense firewall from replying to dns queries on the wan interface. I added a rule to block port 53 udp/tcp on the wan interface but it still answers. any advice would be helpful
-
Are you sure ? How you have checked/determined that ?
Can you attach a screenshot of your WAN FW rules
-
if you just want your clients to use only your dns servers specified in pfsense;
in system->general tab uncheck(disable) "Allow DNS server list to be overridden by DHCP/PPP on WAN" option and that is it
-
if you just want your clients to use only your dns servers specified in pfsense;
in system->general tab uncheck(disable) "Allow DNS server list to be overridden by DHCP/PPP on WAN" option and that is itAre you sure about that ?
How the "Allow DNS server list to be overridden by DHCP/PPP on WAN" option will prevent the FW to answer DNS queries on the WAN interface ?
I am trying to find a way to prevent my pfsense firewall from replying to dns queries on the wan interface. I added a rule to block port 53 udp/tcp on the wan interface but it still answers. any advice would be helpful
-
Thanks for the reply. this is not for clients on my lan network but is for computers on the internet. If someone does a dns query using the ip of the wan interface of pfsense as the dns server they get a response. I want to prevent this. I have attached a screenshot of the wan firewall rule I created to block request to port 53.
-
@ptt:
Are you sure ? How you have checked/determined that ?
Can you attach a screenshot of your WAN FW rules
here is a screenshot of the firewall rules for the wan interface
-
How are you checking/testing ?
What is the purpose of the "total bandwith up/down" Rule ?
-
@ptt:
How are you checking/testing ?
What is the purpose of the "total bandwith up/down" Rule ?
when off site at home I do an nslookup querying the pfsense wan interface and get a reply.
-
@ptt:
How are you checking/testing ?
What is the purpose of the "total bandwith up/down" Rule ?
it was used for bandwidth limiter but it currently not used.
-
Your "Block" rule is wrong….
The Source port should be "Any" not 53... Only the "Dest" port should be 53 :)
Also, the "total bandwith up/down" Rule, allows traffic from "Any" to "Any".... get rid of that rule ;)
-
@ptt:
Your "Block" rule is wrong….
The Source port should be "Any" not 53... Only the "Dest" port should be 53 :)
Also, the "total bandwith up/down" Rule, allows traffic from "Any" to "Any".... get rid of that rule ;)
thanks for the response. I did change the source port to any and removed the bandwith up down rule. the up/down rule was to provide a rule for a limiter ( which I guess I do not have configured correctly). Once I removed the bandwith up/down rule dns responses were blocked correctly on the wan interface and I don't need the port 53 rule this was a total meatware problem. :o
