Netgate SG-1000 microFirewall

Author Topic: pfSense 2.0 RC3 (x64) blocking legitimate DNS traffic?  (Read 5258 times)

0 Members and 1 Guest are viewing this topic.

Offline geeknik

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
pfSense 2.0 RC3 (x64) blocking legitimate DNS traffic?
« on: August 30, 2011, 03:44:02 pm »
I don't know how far back this goes, but I know for at least the last week I've had to add rules to my firewall to allow port 53 responses from the OpenDNS resolvers (208.67.222.222 and 208.67.220.220). While these responses were being blocked, I wasn't noticing any abnormal network issues, however, I think I know why pfSense is blocking some port 53 responses from OpenDNS. And it's EDNS. I think pfSense is assuming a maximum DNS message length of 512 bytes and is blocking longer DNS packets. This will need to be addressed though because OpenDNS and Google have announced a "Global Internet Speedup Initiative". http://www.opendns.com/about/announcements/229/

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: pfSense 2.0 RC3 (x64) blocking legitimate DNS traffic?
« Reply #1 on: August 30, 2011, 08:30:53 pm »
Packet size has no relation to whether reply DNS traffic is permitted. Anything that comes back as a response flipping the original source and dest IPs and ports will be allowed back through the original state as long as that state still exists.

Offline geeknik

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
Re: pfSense 2.0 RC3 (x64) blocking legitimate DNS traffic?
« Reply #2 on: August 31, 2011, 02:44:22 pm »
Hmm. Beyond whitelisting the resolver IPs, what else can I do to ensure the statefulness of the packets?  And a side note, a friend of mine who uses m0n0wall says he has the same problem, but only with OpenDNS as well.

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: pfSense 2.0 RC3 (x64) blocking legitimate DNS traffic?
« Reply #3 on: September 01, 2011, 01:50:58 am »
m0n0wall has an older version of dnsmasq and it's probably related to that if it's the DNS forwarder. I don't think ipfilter has any intelligence with DNS response sizes either.

You'd have to see if the state is indeed still there, and check the response to see if it's sane and should match that state.