@kejianshi:
Sounds good, although I doubt the OpenDNS guys would like to think of themselves being "inflicted" on hosts.
I've been thinking to do something like this myself so that I can not "NEED" Dansguardian on most installs.
I like to keep firewalls as uncomplicated as possible.
If I can selectively apply DNS rules to clients and remove a process from my firewall I'm happy.
I got this working today. Created a new VM running 2.1-RC0. Imported config from the old VM. Then I set up another Linux VM as the 2nd DNS server using BIND in a chroot jail. Two forward zones: one for the internal network domain which forwards those requests to the pfSense resolver and another for "." pointing to the OpenDNS servers.
I logged into the OpenDNS control panel and set up the content filtering. Then I set up a new DDNS profile in pfSense to update OpenDNS whenever the WAN IP changes.
Finally, I used the DHCP config options in 2.1 to set the 2nd server as the DNS for the hosts I wanted to filter. I also tweaked the max TTL cache time on the 2nd DNS to 5 min. That way when I need to whitelist a domain the users don't have to wait long for it to go into effect.
Now I just need to set up the firewall rules to prevent back doors and I'm done.