Many outbound DNS queries to other DNS servers in my states table
I've been having some weird things happen on my PFSense box in the last day or so and I noticed the number of states jump from 100-200 (where it sits idle normally) to 500-600 randomly.
Checking the states table and filtering by :53 shows a huge amount of outbound DNS queries to IP's that definitely aren't my ISP's.
As an example these states look like this: (sometimes there are hundreds of these)
"MY WAN/PPPOE static IP":58304 -> 188.8.131.52:53 MULTIPLE:SINGLE
"MY WAN/PPPOE static IP":18155 -> 184.108.40.206:53 MULTIPLE:SINGLE
Am I wrong in thinking that I would only expect to see DNS (53) to my two ISP DNS servers?
Are you using resolver or the forwarder? Do you allow outbound 53 from clients behind pfsense?
I don't use the forwarder but DNS Resolver seems to be turned on, is this on by default?
Yes, I allow outbound port 53 for clients.
well a resolver doesn't ask your isp dns for anything (unless it was authoritative for some domain your looking for) It directly finds from roots the authoritative name servers for whatever your looking up and then goes and asks them for the records your looking for - so yeah with use of a resolver vs a forwarder your going to see queries to dns from all over the planet..
You could have clients behind pfsense that running software that queries specific dns, or devices that do. For some strange reason some makers like to hard code specific name servers into their software/devices. Or you could have users that manually changed their dns to something else, etc.
C:>dig pfsense.org +trace
; <<>> DiG 9.10.2-P2 <<>> pfsense.org +trace
;; global options: +cmd
. 83385 IN NS d.root-servers.net.
. 83385 IN NS i.root-servers.net.
. 83385 IN NS k.root-servers.net.
. 83385 IN NS g.root-servers.net.
. 83385 IN NS f.root-servers.net.
. 83385 IN NS m.root-servers.net.
. 83385 IN NS b.root-servers.net.
. 83385 IN NS l.root-servers.net.
. 83385 IN NS h.root-servers.net.
. 83385 IN NS a.root-servers.net.
. 83385 IN NS e.root-servers.net.
. 83385 IN NS c.root-servers.net.
. 83385 IN NS j.root-servers.net.
;; Received 397 bytes from 192.168.9.253#53(192.168.9.253) in 3 ms
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
;; Received 685 bytes from 220.127.116.11#53(l.root-servers.net) in 11 ms
pfsense.org. 86400 IN NS ns3.pfmechanics.com.
pfsense.org. 86400 IN NS ns2.pfmechanics.com.
pfsense.org. 86400 IN NS ns1.pfmechanics.com.
;; Received 602 bytes from 18.104.22.168#53(c0.org.afilias-nst.info) in 171 ms
pfsense.org. 3600 IN A 22.214.171.124
pfsense.org. 3600 IN NS ns3.pfmechanics.com.
pfsense.org. 3600 IN NS ns1.pfmechanics.com.
pfsense.org. 3600 IN NS ns2.pfmechanics.com.
;; Received 173 bytes from 126.96.36.199#53(ns2.pfmechanics.com) in 34 ms
I snipped out the dnssec stuff to make that a bit cleaner looking - but see all the nameservers that were queried in the bolded lines, that is how a resolver would find pfsense.org record. Other than that first one that had to query my name server for the . root servers. Where the resolver in pfsense unbound has a root hints file and would not have to query for those, all the others it would query.