Wiki

User Tools

Site Tools

Trace:
pfsense:stopping_dns_leaks

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:stopping_dns_leaks [2020/04/14 14:50] – [PFSense - Stopping DNS Leaks] peterpfsense:stopping_dns_leaks [2020/11/30 12:07] (current) – removed peter
Line 1: Line 1:
-====== PFSense - Stopping DNS Leaks ====== 
- 
-Navigate to **Services -> DNS Resolver** 
- 
-  * DNS Query Forwarding:  **Not Checked**. 
-  * Custom Options:  <code> 
-server: 
-  ssl-upstream: yes 
-  do-tcp: yes 
-  forward-zone: 
-    name: "."  
-    forward-addr: 1.1.1.1@853 
-    forward-addr: 1.0.0.1@853 
-    forward-addr: 2606:4700:4700::1111@853 
-    forward-addr: 2606:4700:4700::1001@853 
-</code> 
- 
- 
-It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway. 
- 
----- 
- 
-===== Test ===== 
- 
-==== Test using an internal DNS: ==== 
- 
-<code bash> 
-dig www.google.com @yourrouter.local 
-</code> 
- 
-You should see a resolve against your router’s local DNS resolver that works. 
- 
-<WRAP info> 
-**NOTE:**  You can use use **Diagnostics -> Packet Capture**, and capture port 853 to verify that requests are being triggered. 
-</WRAP> 
- 
----- 
- 
-==== Test using an external DNS ==== 
- 
-Try and dig something against an IP that you know is not internal and is not a DNS server.  It should work, since the request will be NATted.  Something like; 
- 
-<code bash> 
-dig www.google.com @8.8.8.8 
-</code> 
- 
-Assuming that’s all fine, you should now be able to configure a broad block rule to bar all outbound port 53. 
- 
----- 
- 
-===== Block all outbound non-encrypted DNS ===== 
- 
-Navigate to **Firewall -> Rules** 
- 
-On the **WAN** interface, define a new rule at the top of the list.  This rule should use these settings; 
- 
-  * Action: **Block**. 
-  * Interface: **WAN**. 
-  * Address Family: **IPv4+IPv6**. 
-  * Protocol: **TCP/UDP**. 
-  * Source: **any**. 
-  * Destination: **any**. 
-  * Destination Port: **DNS (53)**. 
-  * Description: **Block outbound insecure DNS**. 
- 
-Verify that you can still resolve against the local resolver (your router’s IP), and that you can still resolve against what seems to be external resolver (e.g, 8.8.8.8). 
- 
-You should also check that when you do so that nothing passes on the WAN interface on port 53. 
  
pfsense/stopping_dns_leaks.1586875812.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki