1

I am trying to create rule to allow DNS queries (port 53) to only 8.8.8.8 server (Google DNS). DNS queries to all other servers should not succeed.

I added the following lines to /etc/pf.conf file

anchor "com.xyz" 
load anchor "com.xyz" from "/etc/pf.anchors/com.xyz"

and then I add the file com.xyz to /etc/pf.anchors folder. Content of the com.xyz file are given below:

# Options
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0

pass out proto tcp from any to 8.8.8.8 port 53
pass out proto udp from any to 8.8.8.8 port 53

This is not working, I am able to access the internet with some other DNS server. Any suggestions why it is not working?

sam
  • 11
  • 3

2 Answers2

0

Your snippet looks good, although I suspect we're missing pieces. A minimalistic ruleset doing what you're looking for:

pass out
pass in inet proto { tcp udp } from any to 8.8.8.8 port domain
block drop in quick inet proto { tcp udp } from any to any port domain

And in some cases, you may also need something like:

match out on em0 from 10.0.0.0/8 nat-to 1.2.3.4

I assume you've already enabled IP forwarding?

SYN
  • 1,751
  • 8
  • 14
0

I fixed it by adding the following lines after the options. 

block out proto tcp from any to any port 53
block out proto udp from any to any port 53

So, basically ask pfctl to block all DNS packets and then ask it to only allow DNS queries to 8.8.8.8. So, below is my complete com.xyz file.

# Options
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0

block out proto tcp from any to any port 53
block out proto udp from any to any port 53
pass out proto tcp from any to 8.8.8.8 port 53
pass out proto udp from any to 8.8.8.8 port 53
sam
  • 11
  • 3