Differences

This shows you the differences between two versions of the page.

--- pfsense:dns:block_dns_requests [2021/04/27 09:58] – created peter
+++ pfsense:dns:block_dns_requests [2022/10/08 08:55] (current) – [Test] peter
@@ Line 12: / Line 12: @@
 ----
-===== Create a firewall rule to block ALL LAN traffic on port 53 (DNS) =====
+===== Allow DNS Requests to the pfSense box =====
+Create a firewall to allow any requests on port 53 to the pfSense box.
+Navigate to **Firewall -> Rules -> LAN**.
+Add a new firewall rule.
+  * Action:  **Pass**.
+  * Disabled:  **Not Checked**.
+  * Interface:  **LAN**.
+  * Address Family:  **IPv4**.
+  * Protocol:  **TCP/UDP**.
+  * Source:
+    * Invert Match:  **Not Checked**.
+    * Source:  **Any**.
+  * Destination:
+    * Invert Match:  **Not Checked**.
+    * Destination:  **This firewall (self)**.
+    * Destination Port Range - From:  **DNS (53)**.
+    * Destination Port Range - To:  **DNS (53)**.
+  * Log:  **Not Checked**.
+  * Description:  **Allow DNS to pfSense**.
+----
+===== Block ALL LAN traffic on port 53 (DNS) =====
+Create a firewall rule to block ALL LAN traffic on port 53 (DNS).
+<WRAP important>
+**IMPORTANT:**  This rule must be below the above ALLOW rule.
+</WRAP>
 Navigate to **Firewall -> Rules -> LAN**.
@@ Line 34: / Line 67: @@
   * Description:  **Block DNS to anywhere**.
+----
+===== Test =====
+On a client device, set DNS to point to an external DNS provider, such as Google.
+  * Set the DNS on the client to 8.8.8.8
+Try to do a nslookup against an external site.
+<code bash>
+nslookup google.com
+</code>
+returns:
+<code bash>
+Server:		192.168.1.1
+Address:	192.168.1.1#53
+Non-authoritative answer:
+Name:	google.com
+Address: 172.217.169.78
+Name:	google.com
+Address: 2a00:1450:4009:819::200e
+</code>
+<WRAP info>
+**NOTE:** This shows the server handling the DNS query is 192.168.1.1 which is the IP of the pfSense.
+Great!
+</WRAP>
+----
+Try to do a ping an external site to ensure this works too.
+----