Public pfSense don't resolve external DNS lookups
Solution 1
Ensure that Network Interfaces is set to All in Services > DNS Resolver
Then add a rule like the below in Firewall > Rules > Wan:
Solution 2
You don't want it allowing external DNS lookups. The built-in DNS Forwarder and Resolver are strictly for providing name resolution for your internal machines. If you want a public name server, use something that's designed to be a public name server. The BIND package if you must run it on the firewall, best to use a service provider or something on a separate server.
Your note on another comment that you switched to DNS Forwarder and opened it to the entire Internet means it's only a matter of hours likely until you're being used as part of a reflected DNS amplification DDoS attack, because you opened a recursive DNS resolver to the world. Take that rule off WAN so no one from the Internet can reach port 53. And you'd be better off switching back to Resolver, Unbound replies with "query refused" for good reason - its built-in ACL capabilities help ensure you're not able to make yourself open to flooding garbage traffic as part of a DDoS.
Related videos on Youtube
59 : 58
10 : 42
09 : 30
10 : 29
16 : 46
29 : 19
Vladimir
Updated on September 18, 2022Comments
-
Vladimir almost 2 years
I have pfSense with external IP with Unbound DNS Resolver running on it. When I send inquiry from internal network, it replies, but when I send inquiry from external machine it doesn't reply.
Internal:
nslookup mydomain.com 192.168.1.1External:
nslookup mydomain.com external_ip DNS request time out.DNS Resolver listens to all interfaces.
-
Joshua Griffiths almost 8 yearsAre you allowing 53/UDP to the WAN interface? -
Vladimir almost 8 yearsWhere can I do it? I thought it's open for DNS by default.
-
Joshua Griffiths almost 8 yearsI believe that the WAN is not open for DNS by default (most users do not want this). Look at Firewall > Rules > WAN.
-
Vladimir almost 8 yearsIndeed it seems to be closed. I have forwarded 53 port to 127.0.0.1 %). Now I have Query refused, but it's better than no reply. Thank you.
-
-
Vladimir almost 8 yearsYes, that's much better than Port Forwarding. Thank you, it works. Also I have to replace DNS Resolver to DNS Forwarder service, so now I receive the replies instead of "Query refused".
-
Chris Buechler almost 8 yearsThis is not a good idea, and potentially very dangerous, for the reason I noted in my answer.
-
Joshua Griffiths almost 8 yearsCorrect and well noted; however there are legitimate use cases (e.g. private WAN)
-
Vladimir almost 8 yearsI wonder if I can put bind:53 on WAN and dnsmsq:53 on LAN?
-
Chris Buechler almost 8 yearsYes you can put BIND on port 53 on WAN, and dnsmasq or unbound on LAN.
-
Vladimir almost 8 yearsI turned on BIND on WAN, but it doesn't respond. Should I use the rule to open 53 port on WAN like described above?
-
Chris Buechler almost 8 yearsYes if you have BIND and want it to answer on WAN, TCP/UDP 53 must be allowed in the WAN rules.
-
Vladimir over 7 yearsFor some reasons I want to make public dns server which resolves any request to a single ip address. So what if I turn on "DNS Forwarder", open 53 port on WAN, and set a config to
"address=/#/1.1.1.1", would it be also unsafe?
