DNS Forwarder packets not sent through firewall



  • My setup is a pfSense installation with one wan interface and one lan interface, as pfSense routing public ip addresses from virtual machines to internet. So both my wan and lan interfaces got public ip addresses. I were allowing whole ipv4 :D. Today I saw about 4 Mbps traffic inbound on my pfSense wan interface being constant. So i watched on ntop and that was dns request being sent from my wan ip to some public dns server set on pfSense. So I came with a basic rule blocking udp from my wan ip to any ip and port 53, to figure out after. But it didn't work! (I put this rule second, above all allowing rules) Thats a simple rule. I figured that this was from DNS Forwarder service in pfSense. I think packets sent from DNS Forwarder not being sent through firewall. Am I right? I disabled the DNS Forwarder and the traffic is gone. I found that someone was flooding dns request to one of my virtual machines. And now im making some ingress filtering to allow only desired traffic to get into my subnet.

    So the question was: Are packets sent from DNS Forwarder not being sent through firewall? So they couldn't be filtered through firewall.

    Thanks.


  • Rebel Alliance Global Moderator

    traffic from pfsense itself would be outbound traffic… traffic is filtered inbound to interfaces as you looking into pfsense.



  • DNS Forwarder listens on all interfaces by default. If you had your WAN open to the whole world, then the world can use your DNS Forwarder to do DNS - it is an open DNS resolver. You will be hit by DDoS attacks that make use of your DNS to flood answers to queries back to poor sods who are also being attacked.
    On WAN you must ONLY put pass rules to allow exactly the traffic you need to allow in to your network (e.g. port 80/443 to your public server…). Let pfSense block every else (and log it if you wish). Otherwise, the world WILL attempt to mess with everything on your network.


  • Rebel Alliance Global Moderator

    ^ agreed..

    You can also pick which interfaces your dns forwarder listens on.  If your wanting to listen on ipv6 on the lan side seems you can not use this feature..  But if your not needing ipv6 dns forwarder services you can limit your forwarder to even only listen on your lan side interfaces.