PFSense - DNS - Block DNS Requests

Block any DNS requests sent to a host other than the pfSense.

Create a firewall to allow any requests on port 53 to the pfSense box.

Navigate to Firewall → Rules → LAN.

Add a new firewall rule.

• Action: Pass.
• Disabled: Not Checked.
• Interface: LAN.
• Address Family: IPv4.
• Protocol: TCP/UDP.
• Source:
  • Invert Match: Not Checked.
  • Source: Any.
• Destination:
  • Invert Match: Not Checked.
  • Destination: This firewall (self).
  • Destination Port Range - From: DNS (53).
  • Destination Port Range - To: DNS (53).
• Log: Not Checked.
• Description: Allow DNS to pfSense.

Create a firewall rule to block ALL LAN traffic on port 53 (DNS).

Navigate to Firewall → Rules → LAN.

Add a new firewall rule.

• Action: Block.
• Disabled: Not Checked.
• Interface: LAN.
• Address Family: IPv4.
• Protocol: TCP/UDP.
• Source:
  • Invert Match: Not Checked.
  • Source: Any.
• Destination:
  • Invert Match: Not Checked.
  • Destination: Any.
  • Destination Port Range - From: DNS (53).
  • Destination Port Range - To: DNS (53).
• Log: Not Checked.
• Description: Block DNS to anywhere.

On a client device, set DNS to point to an external DNS provider, such as Google.

• Set the DNS on the client to 8.8.8.8

Try to do a nslookup against an external site.

nslookup google.com

returns:

Server:		192.168.1.1
Address:	192.168.1.1#53
 
Non-authoritative answer:
Name:	google.com
Address: 172.217.169.78
Name:	google.com
Address: 2a00:1450:4009:819::200e

Try to do a ping an external site to ensure this works too.