Hi everyone,
first of all i wish you a merry christmas.
Some days ago I heard something which makes me realy nervous. The reason why is, that someone said that using the DNS of my Firewall (like pfsense) is the wrong way of doing. Because the DNS Server, running on my firewall could be an security issue.
I deployed some Pfsense - which running fine. But in the most deployments - the DNS Resolver built in Pfsense - is still active and deployed as DNS Server to the clients.
WAN → Pfsense (ip: 192.168.“20/30/50”.1 → VLAN 20 // 30 // 50 etc.
So I created an Rule in every Network like:
Allow IPv4 TCP/UDP
Source VLANxx
Source Port *
Dest. Adress VLANxx Address
Dest. Port 53
So my question, is this the wrong way - running the DNS on my firewall?
Should block this traffic and creating a single DNS Server - like Pi-Hole or Adguard?
The Networks are small - max. 50 Devices at the same time.
Maybe someone can give me a hint, how I improve my setup.
Did he say why this could be a security issue?
I believe that adding another DNS Resolver than unbound on pfsense, could be a security risk.
Many folks install AdGuard Home on pfsesne.
However, unbound is safe to use.
People who make statements without reason as to why they make them are not always correct. Running DNS on pfsense is fine, if you want to enhance DNS by using pfblocker, that is fine as well.
And to add on top of what Tom said: the real security issue is to let your clients reach ANY DNS they want. If a client is compromised, they usually try to stealthly use a private DNS and you must prevent that.
What you need to do is force your clients - with some firewall rules - to either A) use your own DNS (on pfsense, Pi-Hole, etc) or to use official public DNS or B), block any unauthorized DNS connections that are not what you want. For A), you can steathly NAT the DNS requests to your own DNS so the client will not even know they’ve reached your DNS and not theirs, for B, it is a simple blocking rule.
thanks for your reply. It was only said, that a “Firewall” should only route traffic. And you never should install any other service on a firewall. So it was recommended to create an additional DNS Server like Pihole or Adguard.
Did he say why this could be a security issue?
But i could not understand, why it is better to spin up a second “Server” for providing DNS.
That’s the reason why iam asking.
So i tried to ask some other professionals - how the handle the DNS querys.
What you need to do is force your clients - with some firewall rules - to either A) use your own DNS (on pfsense, Pi-Hole, etc) or to use official public DNS or B), block any unauthorized DNS connections that are not what you want. For A), you can steathly NAT the DNS requests to your own DNS so the client will not even know they’ve reached your DNS and not theirs, for B, it is a simple blocking rule
Thanks a lot for letting me know. I think I haven’t implemented Rule A . So i will do it as soon as Possible.
By the way. Do you have some experiance using it with “Google Nest” devices? Do the work ?
Thanks a lot for helping
EDIT: Sorry, haven’t found the “Blockquote” button
Keep in mind that you add an extra point of failure this way.
You will have no internet if the firewall goes down OR if the extra dns server goes down. Twice the chances to lose internet.
Also depends on the network itself. If it’s a business network that’s running an active directory, has a local domain controller, clients should really just use the IP address of that domain controller for their DNS, not the firewall, not the ISPs DNS, not any other public DNS servers. And it is best for security of the office network to lock down DNS to…whatever it is you choose.
If there is no domain controller, you’re left with having to manage internal name resolution somehow. Network browsing can get pretty messy with a “master browser” elected…when it comes to peer to peer networks. So this is where a firewalls DNS server service can come in handy, to take over the role of DNS for the network (which is done by the domain controller when you have a network setup on active directory). So this is where utilizing a routers DNS server service can come in handy.