pfsense:dns:block_dns_requests
Table of Contents
PFSense - DNS - Block DNS Requests
Block any DNS requests sent to a host other than the pfSense.
NOTE: Benefits include:
- To prevent various types of malware or DNS hijacking DNS queries.
- Centralized monitoring and logging.
Allow DNS Requests to the pfSense box
Create a firewall to allow any requests on port 53 to the pfSense box.
Navigate to Firewall → Rules → LAN.
Add a new firewall rule.
- Action: Pass.
- Disabled: Not Checked.
- Interface: LAN.
- Address Family: IPv4.
- Protocol: TCP/UDP.
- Source:
- Invert Match: Not Checked.
- Source: Any.
- Destination:
- Invert Match: Not Checked.
- Destination: This firewall (self).
- Destination Port Range - From: DNS (53).
- Destination Port Range - To: DNS (53).
- Log: Not Checked.
- Description: Allow DNS to pfSense.
Block ALL LAN traffic on port 53 (DNS)
Create a firewall rule to block ALL LAN traffic on port 53 (DNS).
IMPORTANT: This rule must be below the above ALLOW rule.
Navigate to Firewall → Rules → LAN.
Add a new firewall rule.
- Action: Block.
- Disabled: Not Checked.
- Interface: LAN.
- Address Family: IPv4.
- Protocol: TCP/UDP.
- Source:
- Invert Match: Not Checked.
- Source: Any.
- Destination:
- Invert Match: Not Checked.
- Destination: Any.
- Destination Port Range - From: DNS (53).
- Destination Port Range - To: DNS (53).
- Log: Not Checked.
- Description: Block DNS to anywhere.
Test
On a client device, set DNS to point to an external DNS provider, such as Google.
- Set the DNS on the client to 8.8.8.8
Try to do a nslookup against an external site.
nslookup google.com
returns:
Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: Name: google.com Address: 172.217.169.78 Name: google.com Address: 2a00:1450:4009:819::200e
NOTE: This shows the server handling the DNS query is 192.168.1.1 which is the IP of the pfSense.
Great!
Try to do a ping an external site to ensure this works too.
pfsense/dns/block_dns_requests.txt · Last modified: 2022/10/08 08:55 by peter