Firewall rule to block DNS quieries to external DNS servers.
-
Hello all, I am trying to create a firewall rule on the LAN to block DNS queries to external DNS servers except those DNS queries originating from DNS server (192.168.168.1).
So far I have attempted created a rule of
Block TCP/UDP if source IP is not 192.168.168.1 to ANY destination IP using destination port DNS-DNS
The rule doesn't work as I expect and queries from DNS server (192.168.168.1) are blocked. What am I doing wrong any direction on creating this rule?
On a side note this is the only rule I've implemented.
-
Made a small mistake
block UDP lan net * !192.168.168.1 53 *
ipconfig /flushdns (From windows command prompt)
-
I'm a new user to pfSense so maybe I'm just missing somehting… Thanks for the suggestion, I modified the rule with no luck all DNS packets are blocked from all hosts except those hosts using pfsense as their DNS server. ???
Below are the only rules visible via the WebGUI.
Firewall Rules - LAN
Proto Source Port Destination Port Gateway Sch. Desc.
Block TCP/UDP ! 192.168.254.245 * * 53 (DNS) * ---- DNSFirewall Rules - WAN
Default RFC1918Correct the logic but if a packet reaches pfsense and is processed against the above LAN rule, the firewall should say IF DNS query packet is NOT from 192.168.254.245 BLOCK! If it matters any, which it shouldn't because DNS is DNS, 192.168.254.245 is a Windows Server 2003 host.
-
If i apply you rule on LAN2 LAN3 it works right away
On LAN the Behind the sceen rules takes over.First make sure that you have the default Lan rule below your block rule so you can access the web gui
Go to System -> Advanced and tick "webGUI anti-lockout" and save
Then i had to reboot my lan client.Now you rule should work. Though i can't toggle the rule on and off as i would wish, prolly there is more to the behind the sceen rule that i know of.
-
Thank you for your help. I did a factory restore and it works as it should now. I'm not sure what happened to the config, only thing I can think of was deleting the Defualt LAN rule changed the logic of the firewall. ???
All is well now thanks again, I'm really liking pfsense even better than IPCop!
-
Ok the final resolution was to take the simple route out… After disabling the defualt LAN rule wich is ANY to ANY DNS once again failed. Taking the simple route created a block all DNS rule and a single allow DNS rule for aformentioned IP address and communications proceeded as expected.
Network layout
------------ ------------ ------------
| Internet | === < ADSL modem | === | pfSense | ====== | LAN |
------------ ------------ ------------ -
I used the following rule to block foreign DNS server: (192.168.1.1 is my DNS' ip)
Protocol: TCP/UDP Source: * Port: * Dest:!192.168.1.1 Port: 53 (DNS) Gateway:* Description: block foreign DNS Protocol: * Source: LAN net Source:* Port:* Dest:* Port:* Description: Default LAN -> any
If any client queries to foreign host (for DNS at port :53)) that differs from 192.168.1.1, we block it!
That's ok for me:)