DNS traffic from WAN IP to Google servers

[fonsmark]

Hi,

I see quite a lot of DNS queries from the WAN-interface of a newly installed OPNsense 17.1.3-i386 to 8.8.8.8 and 8.8.4.4.

I think it must be the apinger which is using Google DNS, but I don't quite understand why this is necessary for monitoring my GW.

I don't wish to feed the Google. Can I avoid sending traffic in their direction?

BR Fonsmark :-)

[fabian]

OPNsense should NOT do that in a default installation. If you use one of this addresses for gateway monitoring, you will get blocked soon anyway.

There are two possible reasons:
a) You got the route from an upstream DHCP and OPNsense is configured to use those
b) A client has this DNS server set

[fonsmark]

Hi fabian,

Thanks for your reply.

The WAN-address, default GW and DNS-servers is static configured.

I have thought that a client might use Google DNS servers, but in the FW-logs the source IP of the traffic is the WAN-address of the FW. Furthermore the FW is pinging 8.8.8.8 (also from the WAN IP).

I have exported the config, and in the XML there is no mention of "8.8".

When searching in logs in my other OPNsense (16.x) FWs I can't see similar traffic, so this might be an error in the version I've got.

[fabian]

That it is the WAN IP of the firewall says nothing as there is probably source NAT configured, which means any outgoing traffic will have the source IP of the firewall. The best way to find out, which device it is, is adding a quick floating rule allowing DNS to 8.8.8.8 on all interfaces, which are not WAN interfaces, where logging is enabled (pass, block, reject is not important for debugging). This way you should get the device from the logs.

[fonsmark]

Thanks! Of course I only saw the traffic in the log after NAT.

There is an exact match of traffic from someones specific client and the entries I saw before.

I got blinded by the source IP, and blamed the FW.

Thanks again :-)