Is this normal behavior?? [SOLVED]



  • HI all

    I am somewhat new to pfsense. I am running the latest 2.3RC version.
    i recently changed settings on the firewall so i can see both pass and block traffic and noticed that the WAN port is sending out a huge amount of dns queries to seemingly random dns servers.

    
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:53952		103.49.80.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:34553		156.154.69.196:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:33449		205.251.198.226:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:14588		156.154.100.3:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:44427		213.248.216.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:25581		205.251.195.251:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:39573		156.154.100.3:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:47435		213.248.220.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:60311		205.251.192.147:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:55537		205.251.196.22:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:61296		205.251.192.147:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:7195		205.251.198.83:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:31860		205.251.198.83:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:20857		205.251.198.83:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:47564		213.248.216.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:15292		43.230.48.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:53555		213.248.220.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:31333		156.154.102.3:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:53506		205.251.196.162:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:6698		205.251.192.35:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:10279		205.251.194.98:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:51772		205.251.196.162:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:42833		205.251.194.98:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:28919		156.154.69.196:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:43564		192.54.112.30:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:51211		156.154.69.196:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:21397		156.154.69.196:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:45818		205.251.199.191:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:42784		192.41.162.30:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:41980		205.251.194.2:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:35676		205.251.192.193:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:16242		205.251.199.191:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:56540		199.19.57.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:13826		199.19.57.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:41636		205.251.199.191:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:36637		205.251.194.2:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:45764		192.54.112.30:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:42689		204.13.251.31:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:24825		204.13.251.31:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:17579		204.13.250.31:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:23415		72.21.208.215:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:22834		43.230.48.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:9337		208.78.71.31:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:11791		208.78.71.31:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:41444		208.78.71.100:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:22214		213.248.216.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:25469		213.248.220.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:56297		43.230.48.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:46973		156.154.103.3:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:52460		213.248.216.1:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:13900		208.78.71.100:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:41162		204.13.251.100:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:15560		208.78.70.100:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:38209		204.13.251.100:53		UDP
    	Apr 8 15:36:40 	► WAN 	XX.XX.30.151:21668		192.43.172.30:53		UDP 
    
    

    IS this normal, or is it something i should be digging into more? None of these address are listed as my primary dns servers. and this is happening about every 15 seconds or so.

    Any input would be appreciated.

    Thanks



  • Could be DNS Resolver talking to root servers.



  • Thanks for your quick response Kom.

    If this is just the dns talking to root servers, shouldn't the requests be going out of my box on port 53, as opposed to a bunch of different random ports?

    Sorry if this is a stupid question.  I'm just trying to figure this out and make sure i set up the dns resolver correctly.

    EDIT: looking at a firewall summary of the last 3244 lines shows that 2296 of them are to port 53


  • Netgate

    No. The source ports of DNS requests must be not only random, but sufficiently random to prevent certain spoofing attacks.

    This was big news a couple years ago.

    https://www.dns-oarc.net/oarc/services/dnsentropy



  • thanks derelict, i didn't know you could posion dns that way.

    So, i've been testing various things, and found this.

    If i turn off dns resolver on pfsense and turn on dnsmasq on my router, then i stop get 20-30 outgoing dns requests to random servers, instead i get 5-6 dns requests ONLY to the google nameservers that i set up. Which actually, is the same way i had it set up on pfsense. So that still begs the question, why is pfsense sending all these random dns requests? Could the "Allow DNS server list to be overridden by DHCP/PPP on WAN" have something to do with this behavior?


  • Netgate

    The requests aren't random. It just takes more requests to get the answer into your cache.

    The resolver starts at the root and works its way to an answer. Like "Where do I get more information about com? OK, now where do I get more information about google.com? OK, what are the A and AAAA records for www.google.com?"

    When you use the forwarder, you are asking a recursive/caching name server for an answer. If it doesn't have it the burden is on that server to do all the recursive work.

    Is this normal behavior??

    Yes.



  • i understand that the dns has to work through different servers to find the necessary address that you put into web browser. But these requests were going out when nothing was requesting name resolution, nothing was open on the network which should be requesting name/ip address resolution. this was part of the reason i was concerned about it.  By the way, i am not using the dns forwarder, was only using the dns resolver. But, if you say that what i'm seeing in the firewall is normal dns activity, then i believe you and thank you for taking the time to answer my questions.



  • If you have any devices live on your network, something's pretty much always going to be doing a DNS lookup of some sort. Applications and OSes checking for updates, numerous other possibilities for background activity, in addition to the usual client-generated lookups.



  • ok, thanks cmb.

    As long as everything is working as it should, that's all that matters.

    Can you please mark this thread as solved