Strange behavior with DNS requests under FreeBSD 10.3 with pf enabled

C. L. Martinez carlopmart at gmail.com
Wed Jun 22 08:56:01 UTC 2016 

On Wed 22.Jun'16 at  7:53:47 +0000, C. L. Martinez wrote:
> Hi all,
> 
>  I have detected a stange behavior with my FreeBSD 10.3 (fully patched) PF based firewall. With some dns requests, pf denies the connection, but with others not. For example, if I do a query about www.oracle.com or www.microsfot.com for example, all works ok. But if I do a query about www.freebsd.org or www.openbsd.org, request is denied:
> 
> 00:00:02.610710 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 23787, offset 0, flags [+], proto UDP (17), length 1492)
>     8.8.8.8.53 > 172.30.77.2.50068: 5832$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
> 00:00:27.493700 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 38872, offset 0, flags [+], proto UDP (17), length 1492)
>     8.8.8.8.53 > 172.30.77.2.64953: 20142$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
> 00:00:02.699902 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 41109, offset 0, flags [+], proto UDP (17), length 1492)
>     8.8.8.8.53 > 172.30.77.2.59317: 29961$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
> 00:00:27.482112 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 46875, offset 0, flags [+], proto UDP (17), length 1492)
>     8.8.4.4.53 > 172.30.77.2.65447: 9845$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
> 00:00:00.280886 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 54, id 12677, offset 0, flags [+], proto UDP (17), length 1492)
>     8.8.8.8.53 > 172.30.77.2.58368: 4177$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
> 00:00:02.421382 rule 29..16777216/0(match): block in on vtnet1: (tos 0x0, ttl 52, id 57858, offset 0, flags [+], proto UDP (17), length 1492)
>     8.8.4.4.53 > 172.30.77.2.61071: 62867$ 7/0/1 org. DNSKEY, org. DNSKEY, org. DNSKEY, org. DNSKEY, org. RRSIG, org. RRSIG, org. RRSIG[|domain]
> 
>  It is really strange. I am using an internal unbound dns cache server installed on a Debian host and I have configured Google's DNS servers, 8.8.8.8 and 8.8.4.4, as a forwarders. I have tried to disable these forwarders in unbound's config, but same error occurs.
> 
>  Any idea why??
> 
>  Thanks.
> -- 
> Greetings,
> C. L. Martinez

Ok, question solved. Problem was with my scrub rules. Adding:

scrub all reassemble tcp fragment reassemble no-df random-id

 ... problem solved.

Thanks.

-- 
Greetings,
C. L. Martinez

More information about the freebsd-questions mailing list