DNS Redirect question
-
I want to implement a rule that redirects all internal DNS request to PFSense. This would address internal clients that try to change the default DHCP settings to some external DNS. PFBlocker will block the DoH/DoT issue.
The rule I'm looking at is https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
But if I understand it properly, I will also need a rule to allow the internal DNS servers (not PFsense) to forward queries externally.
I created an Alias for the internal DNS servers, but not certain how to implement this rule properly.
Any suggestion on how to accomplish locking clients from using external DNS servers while at the same time allowing Internal DNS servers to work properly?
-
@cjbujold rules are evaluated top down, first rule to trigger wins. If you want a client to be able to go outbound for dns, and not be redirected. Just put that rule that allows those IPs to go out on 53 above where your redirect rule is.
-
@cjbujold Why don't you just pass DNS access to the DNS server you want, Pass DNS access from the internal servers you want, and tell them those are the DNS servers to use, and reject attempts to use any other DNS servers?
If they try to use something else it won't work.
Some DNS clients reject answers from an IP address other than the one they queried. It is my opinion that they all should.
-
@cjbujold your trying to redirect client A to something other than pfsense when he asks for 8.8.8.8 or something? Yeah that can be problematic, it works if the dns your redirecting to is on a different vlan than the client.
But if on the same network - clients should balk at that and say hey I asked 8.8.8.8 why is 192.168.x.y answering me..
-
@johnpoz Hmm. I never noticed it was tied to the local network. I have had problems with a DNS server outside the local network that was responding with the "wrong" IP address and some clients (notably ubuntu) refused the answers.
Seems that if someone on the local network wanted to spoof DNS answers they'd just spoof the source address of their reply too.
When I ran a public wifi network it was always really tempting to manipulate DNS like that, but I didn't want to step on the dad who carefully set up opendns on his kids' laptop or similar. Then there's quad9 "protection" etc. Probably over-thinking it.
-
@derelict this has come up multiple times ;)
Here is an old thread where went into much detail about when the dns server your redirecting on on a different vlan, etc. or when its on the same network and you get back the unexpected IP, etc..
Personally not a fan of redirection either, either use the dns I handed you - or not getting dns ;)
But I have done on one of my vlans just to shut up some iot shit that insists on trying to talk to 8.8.8.8, so just redirect it to my pihole - there you go buddy googledns answered you ;) If you would just use the freaking dns I handed you with dhcp you dumb crappy pos we wouldn't have to do such nonsense.
