how to block devices from bypasssing firewalla DNS?
I noticed that by default, firewall gold, allow devices to use their own DNS and bypass firewalla's local server. I also tried to add a rule blocking remote port 53 from being accessed by a device but it seems to not get blocked.
any solutions?
-
no it is a farily standard setup...
in my example,
- I have set firewalla DNS to DOH against opendns. (I have a custom profile in opendns which allow me to filter specific types)
- firewalla's DHCP service is configured to have the devices on the LAN use firewalla 192.168.0.1 as their own DNS
- for testing purpose I changed manually the configuration of one of the device to ignore DHCP and use 1.1.1.1 (cloudflare) as their DNS provider
and it works & bypass firewalla... the PC resolves using cloudflare.
I would have expected firewalla to intercept all dns traffic from any devices on the LAN going to an address different from the one I specified in DHCP (firewalla itself: 192.168.0.1) and block it (quick and dirty) or redirect it transparently to firewalla (more elegant).
obviously this only applies to standard DNS protocol, not DoH and probably not DNSSec.
Ideally, I would have expected firewalla to intercept any
-
This should be happening. Firewalla will intercept DNS unless you turned it off. (DNS booster). If you haven't, best send an email to help@firewalla.com, so we can take look inside.
-
Was this issue ever resolved? I just received my firewalla today and noticed that some of my IoT devices are bypassing my existing pi hole setup. I created a rule to block port 53 from all devices to stop this behavior, and it doesn't seem to have any effect. Is there something else that needs to be blocked in order to stop DNS requests from going out?
-
Thanks for the quick reply! I received my Firewalla Gold yesterday and have it set up in router mode, using 172.16.0.1/24 - no VLANs or anything else (yet). I run DHCP and DNS off of the pi-hole on 172.16.0.2. I'm getting a ton of blocks on the pi-hole for device-metrics-us.amazon.com from various Alexa devices, but the FWG alerted me to abnormal uploads from several devices to the same host.
I'm guessing there's a secondary DNS hardcoded into the devices, so my goal was to block all outbound DNS requests except those originating from the pi-hole. To start that process, I created a rule to block port 53 outbound from all devices, but it had no effect - I continued to be able to resolve all domains, even those I had never hit before (tested by googling random phrases and then clicking on search results that I would have never been to before so they weren't cached).
TL;DR: Overall, my goal is to block all DNS outbound except from 172.16.0.2 - tried blocking port 53 but it didn't make a difference. Is there something else that needs to be blocked?
Thanks!
-
What you have is, the DNS service is on the same LAN segment as your devices. This means firewalla will only see DNS queries from the pi-hole device, and not your LAN devices.
If the devices are using a hard-coded (or their own DNS), pi-hole will not be able to catch it. pi-hole is NOT a data path device. Firewalla should be able to see all DNS queries and filter it. (Given you did not turn off DNS booster). Also, Firewalla is a bit different than pi-hole; Firewalla focus is network flows (data that's actually transferred on the network), so the network flow logs are really traffic logs.
It may not be possible to block all devices' DNS queries except from 172.16.0.2
1. Some devices may be using DNS over HTTPS. Which is encrypted ...
2. Some devices may use an out-of-band DNS query, using whatever protocol they have.
As of blocking port 53, I need to go and see if there are any safety in the system that may be preventing this. Will reply to this thread later.
-
@Dave
Can you send email to help@firewalla.com and share us remote support?
We'd like to take a look at your network setup to understand the problem better.
-
I just saw this post and I wondered what happened with this. Because I actually think it was something much more simple that I would imagine still happen today. Basically every iot device which is android or its “relatives” (amazon) i is configured with a DNS server aimes at google DNS server 8.8.8.8. I wanted to block the this and the other one On all devices but it is impossible because the hierarchy of blocks is opposite to what it should be. The bill in the block all devices is limited to Domains becasue implemented by not resolved. Anything else that you set for all devices you can forget about it I have a post about this and an example unfortunately nothing has been done so far and we’ve moved onto the next bug. I don’t even know if anyone is planning to fix it. The issue is that if you want to limit or block traffic you have to do it on a group level and make sure you have no overlapping allows on that level because the blocks are at the end of the priority list of hierarchies. It’s really absurd that you have to block on group level each and every group for all devices anything that is not a Domain, because if you do it anywhere hire you have any kind of a allow of rules it means nothing. There are quite a flawed of these slug designer shoes unfortunately It’s an egress firewall and that should not be misleading mean thinking you are blocking something when you do it on devices and actually nothing happened. Hopefully someone will pick this song feels to be more and more than this is like a toy with cool features not very secure.
-
@Matt,
Firewalla automatically takes over all UDP 53 requests and forwards them to the configured upstream DNS (the upstream DNS could be your pi-hole)
So technically it's already "only allow pi-hole to make outbound DNS queries". You don't have to add any explicit blocking rules on 53.
-
I thought I would add to this as it's much more complicated with smart phones and similar devices.
- I have my Firewalla setup to use the following DNS servers to block malware 1.1.1.2 and 1.0.0.2
- I tested and cannot browse to https://malware.testcategory.com/ (expected)
I then wanted to see what happened when i changed my phone to 8.8.8.8 to bypass the firewall's DNS. I've read in multiple areas that firewalla will redirect the DNS.
- I enabled the following rule Block DoH Services turned on for my phone.
- DNS Booster turned on all devices.
- After making the change i can now browse to https://malware.testcategory.com/ which is not intended.
Looking through the logs i found the following..
- My Phone tries to use DoH dns.google TCP 443 which is blocked..
- But my phone then uses DoH dns.google UDP 443 which is not blocked. ( i guess the DoH services only block TCP and not UDP?
- After that that and my phone tries to use DoT instead of DoH which is port 853.
There needs to be a rule / list to block all known DoT / DoH domains and it needs to be for both UDP and TCP traffic.
Once i blocked both the DoT / DoH traffic then my devices get redirected to the firewalla as expected.
-
I too am having this issue. Users who know how to manually enter a DNS IP into their devices are able to circumvent the PiHole that blocks certain URLs. I tested the Gold about a year ago and sent it back because of this lack of traffic control. I was told by support that Firewalla was more interested in making their rules simpler than the rules you find in a commercial product, but the rules in a commercial product actually work in this scenario and many other complex ones. I find myself testing again another product now (Purple) a year later to see if anything has improved with the rules, but it seems the limits still apply. I'm honestly not trying to dog the product, i'm only speaking the fact that the way rules are written limits those of us who want to actually write a complex rule to keep our devices away from certain websites for various reasons.
I am certainly not a developer by any means, but i do understand network security fairly well. If there was a way to write a "Custom Rule" that could be put in the order of my choosing, such as before all others, I could write the rule to say "Trusted Devices Group" Denied to go to the internet on port TCP/UDP-53 for any reason. And then write a device rule for my pihole to allow device access to 1.1.1.1:53, then that should solve the problem.
Tonight, I find myself trying to write my rules in a texteditor based on groupings by type. i.e. Device, Group, Network, & Global to try and solve this problem, but am not having any luck. I've got a couple of weeks left before my return period is up. Hopefully we can find a solution before than and i don't have to go back to Sophos.
Come On Dev Folks! Let's figure it out this 2+year old thread! :)
-
My DNS Booster is on. I've checked it. My DHCP scope on the Firewalla is handing out the IP of the Pihole server to DHCP clients successfully. None of that is in question just so we are on the same page.
The challenge is when a device user, manually changes the DNS IP of their device from the one assigned by DHCP (i.e. Pihole) and puts in their own. (i.e. 8.8.8.8). Maybe Firewalla is supposed to intercept that and do something with it, but it doesn't. Instead, it is allowed to go straight to the internet and bypass the pihole entirely.
How do we block devices from using any DNS IP other than the one for the pihole server?
-
I've configured a rule as you suggested on my laptop device, and have configured my laptop manually for public DNS (8.8.8.8). What is now interesting is that the Flows show that when i use this DNS provider, the Flows show it is blocked in the log. However, my laptop is still very capable of performing a NSLOOKUP on multiple domains that i just made up. (i.e. sites that I know i do not have cached in my dns cache locally.).See the attached images.Thoughts??
-
Now that the communication is blocked the UDP traffic might be getting redirected to the firewalla or through your pihole which is responding.
Check the pihole interface to see if you're seeing DNS requests from the firewalla.
It might be confusing because the firewalla is responding and or forwarding the DNS request to the pihole.
So pick a strange domain to do a DNS lookup on something new
-
Dude! That worked! Pihole is getting the requests now even though i've changed my DNS to a public one. Thanks a ton! I've changed my rule to affect "All Devices" so i'll run more tests tomorrow just to make sure its working across many devices. But its looking good so far.
My next question is why doesn't support know how to do this? I've been going back and forth with them over the last 2 days on this trying to get to this solution. Not trying to belittle anyone of course. Honest question.
@Support, If this is the preferred solution when Pihole is in the mix, i would suggest maybe updating the pihole documentation to reflect this solution for others to benefit from. :)
-
I'm assuming the all devices rule may block your pihole from doing DNS requests unless the firewalla is smart enough to auto add an exception for it.
If so, you may need to add an additional allow rule for the pihole to talk to the upstream DNS server. 🤷♂️
Good luck, glad this helped 👍
**Fixed wording**
Please sign in to leave a comment.
Comments
27 comments