Resolver access lists : is at least one always needed?
-
Hi. In the docs it says this:
"When using specific interface bindings on the main tab, or when allowing queries across VPNs, Access Lists are needed to allow the clients to reach the DNS Resolver. Specific known-bad clients or networks could also be denied."
I take this to mean "if you are binding to specific interfaces not "All" then you need access lists"
However it appears you need to create access lists no matter what for it to respond. (If i don't create an access list i get REFUSED)
Am I just reading something wrong?
-
Local networks are added to allow list by default.
-
Well. That is what I would have assumed too except it refused any attempt I made from both WAN and LAN sides of the firewall.
-
Well. That is what I would have assumed too except it refused any attempt I made from both WAN and LAN sides of the firewall.
Have you messed around with the default rules on LAN? You obviously need to get through the firewall first before you can reach the DNS server. I haven't seen anyone else reporting problems with accessing the DNS resolver.
-
I made a windows VM that lives behind the firewall. That is where I do my testing from. The firewall rules for the LAN interface look like this: https://i.imgur.com/Z2xyRlu.png which to me look like everything is open.
This is a testing device and I don't mind sending a XML backup of it, or cooperating via some screen sharing etc. I can easily make this work for me but I wanted to understand if it was a PEBKAC or not.
-
@jmacdonald I have the exact same question and would love to see some comments on it. Thanks!
Also, what is the rule to add in order to have "Allow All"? I tried 0.0.0.0/128 but that didn't work.