Many outbound DNS queries to other DNS servers in my states table



  • I've been having some weird things happen on my PFSense box in the last day or so and I noticed the number of states jump from 100-200 (where it sits idle normally) to 500-600 randomly.

    Checking the states table and filtering by :53 shows a huge amount of outbound DNS queries to IP's that definitely aren't my ISP's.

    As an example these states look like this: (sometimes there are hundreds of these)

    "MY WAN/PPPOE static IP":58304 -> 192.5.6.30:53 MULTIPLE:SINGLE
    "MY WAN/PPPOE static IP":18155 -> 205.251.193.72:53 MULTIPLE:SINGLE

    Am I wrong in thinking that I would only expect to see DNS (53) to my two ISP DNS servers?


  • LAYER 8 Global Moderator

    Are you using resolver or the forwarder?  Do you allow outbound 53 from clients behind pfsense?



  • I don't use the forwarder but DNS Resolver seems to be turned on, is this on by default?

    Yes, I allow outbound port 53 for clients.


  • LAYER 8 Global Moderator

    well a resolver doesn't ask your isp dns for anything (unless it was authoritative for some domain your looking for)  It directly finds from roots the authoritative name servers for whatever your looking up and then goes and asks them for the records your looking for - so yeah with use of a resolver vs a forwarder your going to see queries to dns from all over the planet..

    You could have clients behind pfsense that running software that queries specific dns, or devices that do.  For some strange reason some makers like to hard code specific name servers into their software/devices.  Or you could have users that manually changed their dns to something else, etc.

    example

    C:>dig pfsense.org +trace

    ; <<>> DiG 9.10.2-P2 <<>> pfsense.org +trace
    ;; global options: +cmd
    .                      83385  IN      NS      d.root-servers.net.
    .                      83385  IN      NS      i.root-servers.net.
    .                      83385  IN      NS      k.root-servers.net.
    .                      83385  IN      NS      g.root-servers.net.
    .                      83385  IN      NS      f.root-servers.net.
    .                      83385  IN      NS      m.root-servers.net.
    .                      83385  IN      NS      b.root-servers.net.
    .                      83385  IN      NS      l.root-servers.net.
    .                      83385  IN      NS      h.root-servers.net.
    .                      83385  IN      NS      a.root-servers.net.
    .                      83385  IN      NS      e.root-servers.net.
    .                      83385  IN      NS      c.root-servers.net.
    .                      83385  IN      NS      j.root-servers.net.
    ;; Received 397 bytes from 192.168.9.253#53(192.168.9.253) in 3 ms
    org.                    172800  IN      NS      a0.org.afilias-nst.info.
    org.                    172800  IN      NS      a2.org.afilias-nst.info.
    org.                    172800  IN      NS      b0.org.afilias-nst.org.
    org.                    172800  IN      NS      b2.org.afilias-nst.org.
    org.                    172800  IN      NS      c0.org.afilias-nst.info.
    org.                    172800  IN      NS      d0.org.afilias-nst.org.
    ;; Received 685 bytes from 199.7.83.42#53(l.root-servers.net) in 11 ms

    pfsense.org.            86400  IN      NS      ns3.pfmechanics.com.
    pfsense.org.            86400  IN      NS      ns2.pfmechanics.com.
    pfsense.org.            86400  IN      NS      ns1.pfmechanics.com.
    ;; Received 602 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 171 ms

    pfsense.org.            3600    IN      A      208.123.73.69
    pfsense.org.            3600    IN      NS      ns3.pfmechanics.com.
    pfsense.org.            3600    IN      NS      ns1.pfmechanics.com.
    pfsense.org.            3600    IN      NS      ns2.pfmechanics.com.
    ;; Received 173 bytes from 162.208.119.38#53(ns2.pfmechanics.com) in 34 ms

    I snipped out the dnssec stuff to make that a bit cleaner looking - but see all the nameservers that were queried in the bolded lines, that is how a resolver would find pfsense.org record.  Other than that first one that had to query my name server for the . root servers.  Where the resolver in pfsense unbound has a root hints file and would not have to query for those, all the others it would query.


Log in to reply