pfSense Block DNS Requests – No More Malware

Now that I have everything in place, I have my pfSense block DNS requests made externally to my network.

This means that the firewall drops any DNS request sent to a host other than 127.0.0.1 (the pfSense box).

The main reasoning behind this is to prevent various types of malware or DNS hijacking attempts. Additionally, it allows me to make sure that all of my DNS requests are in one place for monitoring/logging.

To start, I setup a firewall rule to block ALL LAN traffic on port 53 (DNS).

pfSense Block DNS - Block All

Once that was in place, I setup a firewall to then allow any requests on port 53 to the pfSense box.

pfSense Block DNS - Allow DNS Local

With those two rules in place, the firewall only allows port 53 traffic directed to the pfSense box.

Here are the final firewall rules in place. Note that the order matters, and the ALLOW needs to go before the DENY. The reason for this is that they occur in order; if the DENY was first then even DNS traffic to the pfSense box would get blocked.

pfSense Block DNS - Firewall Rules

To test this out, I setup my DNS server as Google (8.8.8.8) and attempted an nslookup on google.com As you can see, the request failed. To prove that it wasn’t a connection issue, I also pinged 8.8.8.8, which was successful.

pfSense Block DNS - DNS Blocked

All in all, a pretty simple solution, but something that I’m glad I setup.

After running this for a while, I’ve even managed to block a few more requests! I don’t expect to see much in here based on my home network, but it is nice to see it doing something.

pfSense Block DNS - Stats

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

1 Comment

Filed under Security Not Included

One Response to pfSense Block DNS Requests – No More Malware

  1. Pingback: PingBack | MottoIN

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.