====== PFSense - DNS - Block DNS Requests ======

Block any DNS requests sent to a host other than the pfSense.

<WRAP info>
**NOTE:**  Benefits include:

  * To prevent various types of malware or DNS hijacking DNS queries.
  * Centralized monitoring and logging.
</WRAP>

----

===== Allow DNS Requests to the pfSense box =====

Create a firewall to allow any requests on port 53 to the pfSense box.

Navigate to **Firewall -> Rules -> LAN**.

Add a new firewall rule.

  * Action:  **Pass**.
  * Disabled:  **Not Checked**.
  * Interface:  **LAN**.
  * Address Family:  **IPv4**.
  * Protocol:  **TCP/UDP**.
  * Source:
    * Invert Match:  **Not Checked**.
    * Source:  **Any**.
  * Destination:
    * Invert Match:  **Not Checked**.
    * Destination:  **This firewall (self)**.
    * Destination Port Range - From:  **DNS (53)**.
    * Destination Port Range - To:  **DNS (53)**.
  * Log:  **Not Checked**.
  * Description:  **Allow DNS to pfSense**.

----

===== Block ALL LAN traffic on port 53 (DNS) =====

Create a firewall rule to block ALL LAN traffic on port 53 (DNS).

<WRAP important>
**IMPORTANT:**  This rule must be below the above ALLOW rule.
</WRAP>


Navigate to **Firewall -> Rules -> LAN**.

Add a new firewall rule.

  * Action:  **Block**.
  * Disabled:  **Not Checked**.
  * Interface:  **LAN**.
  * Address Family:  **IPv4**.
  * Protocol:  **TCP/UDP**.
  * Source:
    * Invert Match:  **Not Checked**.
    * Source:  **Any**.
  * Destination:
    * Invert Match:  **Not Checked**.
    * Destination:  **Any**.
    * Destination Port Range - From:  **DNS (53)**.
    * Destination Port Range - To:  **DNS (53)**.
  * Log:  **Not Checked**.
  * Description:  **Block DNS to anywhere**.

----

===== Test =====

On a client device, set DNS to point to an external DNS provider, such as Google.

  * Set the DNS on the client to 8.8.8.8

Try to do a nslookup against an external site.

<code bash>
nslookup google.com
</code>

returns:

<code bash>
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	google.com
Address: 172.217.169.78
Name:	google.com
Address: 2a00:1450:4009:819::200e
</code>

<WRAP info>
**NOTE:** This shows the server handling the DNS query is 192.168.1.1 which is the IP of the pfSense.

Great!
</WRAP>


----

Try to do a ping an external site to ensure this works too.

----