I recently set up a test Windows 7 machine and joined it to my pfSense powered wifi hotspot.

Turns out everything worked as normal to a point… got the correct ipv4 IP, gateway and DNS server from DHCP, However….

Some other device on the wifi hotspot network has issued an ipv6 DNS server which the machine uses instead of the v4 server!

I see this as a *HUGE* security issue as someone can simply plug in a v6 device to the network which Windows 7 (and possiblyWindows Vista and others) will use out of the box!

Aside from the fact it is a security issue, it actually broke everything as far as captive portal is concerned because the captive portal hostname was of course not resolving correctly…

Any workaround for this?

only first rule with ie. enable udp dns(port 53) to 192.168.1.1 (let’s assume 192.168.1.1 is your lan0 IP@)

2nd rule reject tcp/udp dns(port 53) to any

Thats usually the case!

I’d leave the logging enabled on the block rule, I like logging what gets dropped egress because it typically indicates either a misconfiguration, compromised host, or somebody trying to do something they aren’t supposed to be doing.

The rules must appear in the following order.

Allow outgoing DNS access by pfSense, or by a dedicated DNS server (whichever you use)
Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source
- Type: Single host or alias
- Address: LAN IP of your pfSense, or of your stand-alone DNS server
Destination: any
Destination port range
- from: DNS
- to: DNS
Description: Allow outgoing DNS for our pfSense DNS forwarder

On LAN interface block all DNS traffic to any network
Action: Block
Interface: LAN
Protocol: TCP/UDP
Destination: any
Destination port range
- from: DNS
- to: DNS
Log: Log packets that are handled by this rule – for short-term testing so as to find out who might mistakenly have an external DNS set, or picked up a rogue DNS
Description: Block outgoing DNS in case of rogue DNS servers

The pass rules must come before any matching block rules. If that block rule were setup correctly you would have been dropping all DNS traffic if it weren’t passed first.

* On LAN interface block all DNS traffic to WAN

Action: Block
Interface: LAN
Protocol: TCP/UDP
Destination: WAN address
Destination port range
from: DNS
to: DNS
Log: Log packets that are handled by this rule – for short-term testing so as to find out who might mistakenly have an external DNS set, or picked up a rogue DNS
Description: Block outgoing DNS in case of rogue DNS servers

* Allow outgoing DNS access by pfSense, or by a dedicated DNS server (whichever you use)

Action: Pass
Interface: LAN
Protocol: TCP/UDP
Source
Type: Single host or alias
Address: LAN IP of your pfSense, or of your stand-alone DNS server
Destination: WAN address
Destination port range
from: DNS
to: DNS
Description: allow outgoing DNS for our pfSense DNS forwarder

The firewall rules page says the order matters, which to me would mean the pass rule needs to go above the block rule, but in practice this doesn’t appear necessary. Maybe someone can correct me if I’m wrong.