Open DNS Resolver



  • Hello

    I have pfSense installed on my router, today my internet provider send an email and said my router is open DNS resolver.

    Run a test on this page: http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl and appear OPEN.

    My router ip is 188.240.1.1

    How can I close it, what settings need to be done in pfSense.



  • What pass rules do you have on WAN?
    There would only be a problem if you have rules that allow access to DNS on WAN (port 53).
    WAN should only have the very minimum pass rules to allow remote access to services you really intend to provide to users on the internet (like a web server, or VPN "road warrior" server…).


  • LAYER 8 Global Moderator

    Yeah out of the box, pfsense dns is not open to the internet.  And really should never be with running dnsmasq (default dns resolver).

    Since you posted your IP.  Yup I can validate that IP is allowing recursive from the internet

    dig @yourpostedIP www.google.com

    ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @yourpostedIP www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35490
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A

    ;; ANSWER SECTION:
    www.google.com.        299    IN      A      173.194.116.146
    www.google.com.        299    IN      A      173.194.116.147
    www.google.com.        299    IN      A      173.194.116.145
    www.google.com.        299    IN      A      173.194.116.144
    www.google.com.        299    IN      A      173.194.116.148

    ;; Query time: 261 msec
    ;; SERVER: yourpostedIP#53(yourpostedIP)
    ;; WHEN: Tue Apr 08 14:48:03 EDT 2014
    ;; MSG SIZE  rcvd: 123

    So you must of added a firewall rule to allow traffic 53 (udp/tcp) to your pfsense IP, or setup a forward..  In this day an age with dns being used for amplification attacks – not good!!

    Post your wan rules.  Again by default ALL unsolicited traffic would be blocked.

    example - see my wan rules, attached.  See where I allow icmp - so testing from same outside box that I tested yours from, I can ping my public IP from the internet

    ping myfqdn
    PING myfqdn (24.13.xx.xx) 56(84) bytes of data.
    64 bytes from c-24-13-xx-xx.hsd1.il.comcast.net (24.13.xx.xx): icmp_seq=1 ttl=51 time=85.0 ms
    64 bytes from c-24-13-xx-xx.hsd1.il.comcast.net (24.13.xx.xx): icmp_seq=2 ttl=51 time=81.4 ms

    But dns just fails

    dig @myfqdn www.google.com

    ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @myfqdn www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached




  • Lots of bad information in the forum about this.  Normal expectations do not apply.

    if DNS forwarder is enabled, it DOES open the external interfaces to DNS.    It does NOT require a pass rule.  It DOES require a Block rule to stop it.  If you don't put a block rule in, expect to get a letter once you've been hit.

    There must be a hidden rule.    This is specifically on the 2.0.1 - 2.0.3 versions.  I don't know specifically about the 2.1.x versions.

    2.1.x are not reliable enough for production work with regards to apinger and openvpn's.



  • @Brutal:

    Lots of bad information in the forum about this.  Normal expectations do not apply.

    if DNS forwarder is enabled, it DOES open the external interfaces to DNS.    It does NOT require a pass rule.  It DOES require a Block rule to stop it.  If you don't put a block rule in, expect to get a letter once you've been hit.

    There must be a hidden rule.    This is specifically on the 2.0.1 - 2.0.3 versions.  I don't know specifically about the 2.1.x versions.

    2.1.x are not reliable enough for production work with regards to apinger and openvpn's.

    I have very hard time believing what you're saying here. Could you demonstrate the case with for example firewall rules that log the leaking traffic and show the logs here.


  • LAYER 8 Global Moderator

    "if DNS forwarder is enabled, it DOES open the external interfaces to DNS. "

    Sorry but that is just BS – plain and simple.. While the forwarder does listen on all interfaces, there is no rule to allow the traffic plain and simple.. Look at the freaking rules.

    https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset



  • The only way I can think of the supposed leak happening is if the DNS Forwarder used the same UDP port 53 for sending queries as well as for listening for incoming connections. However, in DNSMasq that is the DNS Forwarder used the default is to send queries using an unprivileged high numbered UDP port.

    I'd still like to see some hard data in form of rules and log entries, otherwise the only conclusion is that we are talking about a PEBKAC.



  • I took the trouble of trying to recreate the problem. I set up a VirtualBox VM using PfSense version 2.1.3 i386. Everything is at default settings and that means the DNSMasq DNS Forwarder is listening on the WAN interface. In the VM the WAN interface has an address 10.71.14.36/24 (from my own DHCP server) and the LAN side of pfSense is set to 192.168.1.1/24. The last log entry that I inspected is the result of trying to query the 10.71.14.36 address from another machine on my LAN. The query was a simple 'drill @10.71.14.36' command.

    As you can see, pfSense does the correct thing and the query is caught by the default block rule. Note that I had to unset the "block private networks on WAN" setting to create a valid test, without that the private networks rule would have caught the query.

    ![Screen Shot 2014-06-16 at 8.34.08.png](/public/imported_attachments/1/Screen Shot 2014-06-16 at 8.34.08.png)
    ![Screen Shot 2014-06-16 at 8.34.08.png_thumb](/public/imported_attachments/1/Screen Shot 2014-06-16 at 8.34.08.png_thumb)



  • Same thing with 2.0.3. It's starting to look pretty bad for your claims that having the DNS Forwarder listening on WAN somehow magically opens a hole in the firewall.

    ![Screen Shot 2014-06-16 at 9.28.20.png](/public/imported_attachments/1/Screen Shot 2014-06-16 at 9.28.20.png)
    ![Screen Shot 2014-06-16 at 9.28.20.png_thumb](/public/imported_attachments/1/Screen Shot 2014-06-16 at 9.28.20.png_thumb)


Log in to reply