View Single Post
  #2   (View Single Post)  
Old 21st July 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,254
Default

I'm going to take a very wild guess that the problem has two factors: 1) how you are managing Domain resolution on the xbox, and 2) your PF rules. It's a very wild guess, because we only have a fragment of your PF ruleset and know nothing about your xbox network configuration. And I know nothing about xboxes at all.

Assumption 1: the xbox is assigned an upstream nameserver via DHCP that you do not want it to use, hence your two PF rules.

Assumption 2: the xbox slows down when it receives an ICMP UNREACHABLE packet in response to a blocked UDP Domain resolution requestion.

Based on those two assumptions, I do not understand the purpose of the block rule. This is because the the pass redirects all Domain requests to your resolver of choice, so the block only delays the client (xbox, in this case) as it determines what to do when it learns its primary nameserver is UNREACHABLE.

The best fix, I think, would be to remove the external, unwanted nameserver from the xbox configuration. But I know nothing about xboxen, so that may not be possible.

On my networks, I don't have rules like these. I use my own DHCP servers and configure only my local nameservers in dhcpd.conf(5). Only the nameservers can forward resolution requests to the Internet, other devices on the network cannot. (This has the side benefit of blocking communication through-the-firewall via port 53 by a compromised workstation or mobile device, in the event that occurs.)

Last edited by jggimi; 21st July 2015 at 01:12 AM. Reason: clarification of forwarding requests to authoritative nameservers
Reply With Quote