Leveraging PFSense NAT Guidelines to redirect DNS requests when the gadget itself received’t allow you to
This can be a continuation of posts on Community Safety
Within the final put up I defined how you can disable IPv6 on PFSense after which fully cease visitors logged after disabling IPv6 on PFSense.
On this put up I’ll present you how you can redirect DNS requests to your most well-liked DNS supplier. Be aware that this doesn’t embody DNS over HTTPS (DoH) requests which I merely block.
Possibly I’ll write about extra about DoH later.
This resolution additionally helps with the Google DNS bypass I wrote about earlier — until after all it’s DoH. When you block DoH Google appears to fall again to straightforward DNS so this resolves the next problem and redirects the visitors to your most well-liked DNS servers as an alternative:
This resolution cloud additionally doubtlessly enable you to spot DNS connections by malware to alternate DNS servers.
You’ll want to do your individual testing to ensure this works as anticipated and doesn’t break issues in your community.
NAT Port Ahead to Overcome Hardcoded DNS Servers
One of many issues that actually annoys me with some IoT and Wi-Fi units is that they won’t allow you to redirect DNS to your most well-liked DNS servers. I wrote about why I like to make use of CloudFlare’s DNS right here:
I can normally drive these units into utilizing the DNS server I wish to use by creating NAT guidelines on PFSense to redirect any DNS visitors to alternate servers to go to CloudFlare.
To configure a NAT rule for this function navigate to:
> Firewall > NAT
Right here’s an instance of how I configure that rule for a specific port I named PORT1:
I’ve seen issues and assaults on DNS forwarders and resolvers and I’d quite divvy up the DNS portion of networking to go straight to CloudFlare and let my Firewall deal with different issues. I don’t resolve DNS for units utilizing my firewall, although that would cut back visitors destined for the Web.
I can use an analogous method to redirect annoying ICMP visitors that continually sends pings over the Web by redirecting that visitors to my firewall as an alternative and permitting it to reply.
These guidelines may not work if a vendor is particularly making an attempt to succeed in their very own servers, however normally it’s only a easy gadget making an attempt to determine if it’s related to the Web or not or resolve domains. Why these hosts should be hard-coded to specific DNS servers just isn’t clear to me. They might simply use DHCP and no matter DNS title is supplied by the native community, however in any case, this resolves the difficulty 99% of the time so I can create fewer firewall guidelines and have a much less complicated community.
Comply with for updates.
Teri Radichel
When you appreciated this story please clap and comply with:
******************************************************************
Medium: Teri Radichel or Electronic mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies by way of LinkedIn: Teri Radichel or IANS Analysis
******************************************************************
© 2nd Sight Lab 2022
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, displays, and podcasts