Now that I have everything in place, I have my pfSense block DNS requests made externally to my network.
This means that the firewall drops any DNS request sent to a host other than 127.0.0.1 (the pfSense box).
The main reasoning behind this is to prevent various types of malware or DNS hijacking attempts. Additionally, it allows me to make sure that all of my DNS requests are in one place for monitoring/logging.
To start, I setup a firewall rule to block ALL LAN traffic on port 53 (DNS).
Once that was in place, I setup a firewall to then allow any requests on port 53 to the pfSense box.
With those two rules in place, the firewall only allows port 53 traffic directed to the pfSense box.
Here are the final firewall rules in place. Note that the order matters, and the ALLOW needs to go before the DENY. The reason for this is that they occur in order; if the DENY was first then even DNS traffic to the pfSense box would get blocked.
To test this out, I setup my DNS server as Google (22.214.171.124) and attempted an nslookup on google.com As you can see, the request failed. To prove that it wasn’t a connection issue, I also pinged 126.96.36.199, which was successful.
All in all, a pretty simple solution, but something that I’m glad I setup.
After running this for a while, I’ve even managed to block a few more requests! I don’t expect to see much in here based on my home network, but it is nice to see it doing something.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.