Strange behavior with DNS requests under FreeBSD 10.3 with pf enabled

C. L. Martinez carlopmart at gmail.com
Wed Jun 22 07:53:57 UTC 2016 

Hi all,

 I have detected a stange behavior with my FreeBSD 10.3 (fully patched) PF based firewall. With some dns requests, pf denies the connection, but with others not. For example, if I do a query about www.oracle.com or www.microsfot.com for example, all works ok. But if I do a query about www.freebsd.org or www.openbsd.org, request is denied:

00:00:02.610710 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 23787, offset 0, flags [+], proto UDP (17), length 1492)
    8.8.8.8.53 > 172.30.77.2.50068: 5832$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
00:00:27.493700 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 38872, offset 0, flags [+], proto UDP (17), length 1492)
    8.8.8.8.53 > 172.30.77.2.64953: 20142$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
00:00:02.699902 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 41109, offset 0, flags [+], proto UDP (17), length 1492)
    8.8.8.8.53 > 172.30.77.2.59317: 29961$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
00:00:27.482112 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 46875, offset 0, flags [+], proto UDP (17), length 1492)
    8.8.4.4.53 > 172.30.77.2.65447: 9845$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
00:00:00.280886 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 12677, offset 0, flags [+], proto UDP (17), length 1492)
    8.8.8.8.53 > 172.30.77.2.58368: 4177$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
00:00:02.421382 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 57858, offset 0, flags [+], proto UDP (17), length 1492)
    8.8.4.4.53 > 172.30.77.2.61071: 62867$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]

 It is really strange. I am using an internal unbound dns cache server installed on a Debian host and I have configured Google's DNS servers, 8.8.8.8 and 8.8.4.4, as a forwarders. I have tried to disable these forwarders in unbound's config, but same error occurs.

 Any idea why??

 Thanks.
-- 
Greetings,
C. L. Martinez

More information about the freebsd-questions mailing list