Protecting DNS servers behind pfSense.
-
Hello,
I've been using watchguard firewall appliance for some years. I've just made the switch to pfSense and so far I like the control and find the interface easy to use. I'm hosting 2 DNS servers behind the firewall. I have this configured and it's working. In Watchguard, I was able to add which DNS queries to allow through. For example, only allow DNS queries for my domains. I thought this was a good way to limit exposure. Is there a way to do this in pfSense?Are there any other methods I should be using to protect my DNS servers further?
Thank you,
Joschi -
For example, only allow DNS queries for my domains. I thought this was a good way to limit exposure. Is there a way to do this in pfSense?
Are there any other methods I should be using to protect my DNS servers further?What do mean when writing "exposure"?
DNS requests from internet?
DNS service offered by pfSense is not the true (real) DNS server. Either resolver or forwarder run between your LAN and internet and act as partial DNS service. These are not supposed to be accessed from internet.
-
What do mean when writing "exposure"?
I'm hosting 2 DNS Servers. I only want to allow DNS queries from the internet to my DNS server if they are for mydomain.com or mydomain.net, etc…
-
I'm hosting 2 DNS Servers. I only want to allow DNS queries from the internet to my DNS server if they are for mydomain.com or mydomain.net, etc…
This is usually done using "views" AKA split-DNS which allows to sned back different answer to DNS request depending on requester source. But not available with either DNS Resolver or Forwarder.
What's your DNS software? -
-
Oh! I realize that your question is not to prevent "exposure" but to only resolve local domain for local clients, meaning your DNS is not exposed to internet :-[
Am I correct? -
Yes they are exposed to the internet. They are the SOA for my hosted domains :) Perhaps, what I'm asking to do is not really necessary? I was able to do this in my Watchguard firewall. I assumed it was a good practice and wanted to do it with pfsense.
-
Not really a pfSense question. But perhaps this might help.
https://technet.microsoft.com/en-us/library/cc786343%28v=ws.10%29.aspx
-
Not really a pfSense question. But perhaps this might help.
https://technet.microsoft.com/en-us/library/cc786343%28v=ws.10%29.aspx
Thank you for the link. I didn't know if it was possible in pfSense. It was easy enough in my old Watchguard firewall :)
-
"For example, only allow DNS queries for my domains."
So you don't want to allow recursive, ie you are authoritative for domain.tld and you don't want people to ask you for google.com – that is configured in your dns server.. While it could be possible with a application firewall to inspect every dns query and not send it to the name server if a recursive query for something other than your domain.. That is not the design of pfsense..
-
"For example, only allow DNS queries for my domains."
So you don't want to allow recursive, ie you are authoritative for domain.tld and you don't want people to ask you for google.com – that is configured in your dns server.. While it could be possible with a application firewall to inspect every dns query and not send it to the name server if a recursive query for something other than your domain.. That is not the design of pfsense..
Okay thank you for your response.
-
Yes they are exposed to the internet. They are the SOA for my hosted domains :) Perhaps, what I'm asking to do is not really necessary? I was able to do this in my Watchguard firewall. I assumed it was a good practice and wanted to do it with pfsense.
I don't understand how firewall could implement such feature.
FW can, obviously control source and destination in term of port and address but can't do anything at protocol level. Th best you can do is to ensure that only requests on port 53 are allowed from internet to your internal DNS server (assuming this server in on DMZ or specific network) -
you would need a application layer firewall that could look at the traffic and determine if should be allowed.. That is not the function of pfsense firewall.
Watchguard has what they call application control
http://www.watchguard.com/solutions/business-need/application-control.aspWhich could allow you to do such a thing.
Watchguard also has a dns proxy that he could of been using even inbound to his dns that allows for limits on types of queries. Again pfsense has no feature.
http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/proxies/dns/dns_proxy_query_types_c.html -
you would need a application layer firewall that could look at the traffic and determine if should be allowed.. That is not the function of pfsense firewall.
Watchguard has what they call application control
http://www.watchguard.com/solutions/business-need/application-control.aspWhich could allow you to do such a thing.
Watchguard also has a dns proxy that he could of been using even inbound to his dns that allows for limits on types of queries. Again pfsense has no feature.
http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/proxies/dns/dns_proxy_query_types_c.htmlCorrect. Thank you johnpoz
