How to allow one vlan to use public DNS instead of DNS resolver pfsense DNS

sho1sho1sho1

Hi all,

I have Pfsense setup with 5 Vlans and PfBlockerng. What I am attempting to do is allow 1 of the Vlan to use public DNS instead of the default pfsense DNS resolver DNS.

I see that there is a floating rule in NAT that blocks all external DNS port 53 requests.
I tried to add a pass rule port 53 for the 1 Vlan but it does not work. The systems in the Vlan are still not able to use 8.8.8.8 and have to use the Vlan Interface IP 192.168.62.1.

I have also tried to edit the floating reject DNS port 53 rule to Source Invert match the 1 Vlan, but this did not work either.
The firewall logs shows the reject as the WAN IP and not the Vlan IP.

I see that there is a "DNS override" option, but it seems like that allows all Vlans to override DNS.

Can anyone help?

Thanks!

MoonKnight

@sho1sho1sho1
Why not add DNS servers into your DHCP Server settings for your VLAN?

sho1sho1sho1

@MoonKnight

I tried that already. On the 1 Vlan, I set 8.8.8.8 for the DNS server. The systems are getting 8.8.8.8 as their DNS server in DHCP IP settings, but the systems cannot get internet access.

I believe the systems are still forced to use DNS resolver which forces DNS lookup only through the pfsense DNS server.
The floating rule will still reject all public DNS requests.

johnpoz

@sho1sho1sho1 if you want vlan/network X to access 8.8.8.8 then you would need to allow that network/vlan to access 8.8.8.8 in the firewall.

If you have a floating rule that blocks access to external dns, add a rule above in floating that alows the network you want to be able to access.

sho1sho1sho1

@johnpoz Let me try tonight and post screen shots.

sho1sho1sho1

I tried to add a floating rule before the DNS block rule, but no luck. It still constantly blocks public DNS access for that Vlan. In my PASS Floating rule, I set interface to ATT_WAN and source to Vlan1 (the one that needs to get public DNS) and destination 'any' port 53.

It seems like the block rule doesn't know the request is coming from Vlan1 but instead the ATT_Wan interface IP.

johnpoz

@sho1sho1sho1 Ah your doing outbound rule..

Yeah your going to have a hard time allowing just 1 specific network/vlan with such a rule.. Change your rule to inbound rule on the interfaces. Then above that put a rule that allows it on the specific network/vlan you want to allow

sho1sho1sho1

@johnpoz
I didn't put the the floating outbound rule myself. I think some setting in the DNS resolver automatically created that floating rule.
Should I manually delete that floating outbound rule and then add a "Block" inbound rule to all my other Vlans?

I wonder if I delete the auto-created floating outbound rule, it might create itself again?

johnpoz

@sho1sho1sho1 nothing in the resolver would or could do that.. You running pfblocker? Show the rule in your ruleset.

There is this feed in pfblocker

That sure doesn't even look like a NS

;; QUESTION SECTION:
;4.64.4.64.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
4.64.4.64.in-addr.arpa. 28800   IN      PTR     wnpgmb0273w-dr09-v924.mts.net.

And it doesn't even answer dns, atleast not from me. That is a bell canada IP.. Is that who you use for ISP?