Block DNS query using pfctl

domain-name-systemmac-osxnetworkingpacket-capturepf

I am trying to create rule to allow DNS queries (port 53) to only 8.8.8.8 server (Google DNS). DNS queries to all other servers should not succeed.

I added the following lines to /etc/pf.conf file

anchor "com.xyz" 
load anchor "com.xyz" from "/etc/pf.anchors/com.xyz"

and then I add the file com.xyz to /etc/pf.anchors folder. Content of the com.xyz file are given below:

# Options
set block-policy drop
set fingerprints "/etc/pf.os"
set ruleset-optimization basic
set skip on lo0

pass out proto tcp from any to 8.8.8.8 port 53
pass out proto udp from any to 8.8.8.8 port 53

This is not working, I am able to access the internet with some other DNS server. Any suggestions why it is not working?

Best Answer

Your snippet looks good, although I suspect we're missing pieces. A minimalistic ruleset doing what you're looking for:

pass out
pass in inet proto { tcp udp } from any to 8.8.8.8 port domain
block drop in quick inet proto { tcp udp } from any to any port domain

And in some cases, you may also need something like:

match out on em0 from 10.0.0.0/8 nat-to 1.2.3.4

I assume you've already enabled IP forwarding?

Related Solutions

Ubuntu – DNS queries get routed to localhost on Ubuntu 9.04

A record in /etc/resolv.conf should look like

nameserver 193.75.75.75

Freebsd – using “include” like statement in pf.conf to include some parts from other files

One way to do this is to use m4 as a preprocessor that produces your final pf.conf. Or you can even break your pf.conf into parts and then have a simplistic "preprocessor" cat those parts > /etc/pf.conf.

Best Answer

Related Solutions

Ubuntu – DNS queries get routed to localhost on Ubuntu 9.04

Freebsd – using “include” like statement in pf.conf to include some parts from other files

Related Topic