Port 53 traffic
-
My firewall is passing a lot of UPD traffic from random ports on the WAN to port 53 of seemly random IP addresses on the net. My first thought was maybe I have a device with a virus, but I don't see (yet) any corresponding LAN traffic. I'm running v2.2.6 with DNS Resolver enabled and OpenDNS in System > General Setup. Any suggestions as to what this may be or if its even something to be concerned about?
-
That would most likely be your resolver, looking up stuff.
A resolver vs a forwarder walks the dns tree down from roots asking the owning nameservers directly for a specific domain for the record your client is looking for.. Yes this going to come from a random source port like pretty much all ip traffic.
If your curious why don't you sniff this traffic and open it up in wireshark and look to see what is being asked and also the responses your going to be seeing as well.
-
Thank you for confirming.
I disabled the resolver and all the port 53 traffic started going to OpenDNS IPs. I had actually looked at packet capture with wireshark, but couldn't make heads or tails over most of what it was reporting. Wish I knew more about it.
I take it that with the resolver enabled, it ignores OpenDNS and the filtering it provides?
-
Not sure what is so difficult to understand..
Didn't you see the query and then response?
A resolver doesn't give 2 shits about opendns, unless you were going to query it for something it was authoritative for.. I think the biggest issues with pfsense defaulting to resolver vs forwarder is that many people running don't seem to have a clue to what the difference is.. Which is just really a sad state of the general understanding of how the internet works in the general populace if you ask me..
Did you have in the general settings pfsense pointing to itself 127.0.0.1 and then opendns?
