Public pfSense don't resolve external DNS lookups

Question

I have pfSense with external IP with Unbound DNS Resolver running on it. When I send inquiry from internal network, it replies, but when I send inquiry from external machine it doesn't reply.

Internal:

nslookup mydomain.com 192.168.1.1

External:

nslookup mydomain.com external_ip
DNS request time out.

DNS Resolver listens to all interfaces.

I believe that the WAN is *not* open for DNS by default (most users do not want this). Look at Firewall > Rules > WAN. — Joshua Griffiths, Jul 05 '16 at 11:45
Indeed it seems to be closed. I have forwarded 53 port to 127.0.0.1 %). Now I have Query refused, but it's better than no reply. Thank you. — Vladimir, Jul 05 '16 at 12:13

score 2 · Answer 1 · answered Jul 06 '16 at 00:37

2

You don't want it allowing external DNS lookups. The built-in DNS Forwarder and Resolver are strictly for providing name resolution for your internal machines. If you want a public name server, use something that's designed to be a public name server. The BIND package if you must run it on the firewall, best to use a service provider or something on a separate server.

Your note on another comment that you switched to DNS Forwarder and opened it to the entire Internet means it's only a matter of hours likely until you're being used as part of a reflected DNS amplification DDoS attack, because you opened a recursive DNS resolver to the world. Take that rule off WAN so no one from the Internet can reach port 53. And you'd be better off switching back to Resolver, Unbound replies with "query refused" for good reason - its built-in ACL capabilities help ensure you're not able to make yourself open to flooding garbage traffic as part of a DDoS.

answered Jul 06 '16 at 00:37

Chris Buechler

2,938
14
18

I wonder if I can put bind:53 on WAN and dnsmsq:53 on LAN? – Vladimir Jul 07 '16 at 10:38
Yes you can put BIND on port 53 on WAN, and dnsmasq or unbound on LAN. – Chris Buechler Jul 09 '16 at 03:46
I turned on BIND on WAN, but it doesn't respond. Should I use the rule to open 53 port on WAN like described above? – Vladimir Jul 19 '16 at 16:14
Yes if you have BIND and want it to answer on WAN, TCP/UDP 53 must be allowed in the WAN rules. – Chris Buechler Jul 20 '16 at 19:20
For some reasons I want to make public dns server which resolves any request to a single ip address. So what if I turn on "DNS Forwarder", open 53 port on WAN, and set a config to `"address=/#/1.1.1.1"`, would it be also unsafe? – Vladimir Jan 28 '17 at 18:03

score 0 · Accepted Answer · answered Jul 05 '16 at 13:05

0

Ensure that Network Interfaces is set to All in Services > DNS Resolver

Then add a rule like the below in Firewall > Rules > Wan:

answered Jul 05 '16 at 13:05

Joshua Griffiths

2,164
14
19

Yes, that's much better than Port Forwarding. Thank you, it works. Also I have to replace DNS Resolver to DNS Forwarder service, so now I receive the replies instead of "Query refused". – Vladimir Jul 05 '16 at 13:12
This is not a good idea, and potentially very dangerous, for the reason I noted in my answer. – Chris Buechler Jul 06 '16 at 07:22
Correct and well noted; however there are legitimate use cases (e.g. private WAN) – Joshua Griffiths Jul 06 '16 at 07:29

Public pfSense don't resolve external DNS lookups

2 Answers2