Blocking DNS queries to external resolvers

edwinonia

Mam/Sir,
Very sorry to bother you all Im very desperate to resolve the issue on my pfsense box. Below are the links:

http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

Below the solution they mentioned that "You could also allow certain local PCs to use other DNS server by placing a pass rule for them above the block rule." but I cannot understand how to do that. What I want is I want to allow other pc to connect to other DNS server like google DNS 8.8.8.8 and 8.8.4.4. Please help me how to create a rule for that. Im trying to create a rule but still have no luck my internet will become disconnected if im going to insert other DNS IP.

edwin

phil.davis

Those instructions look good. To let some systems "out" to use another external DNS server/s:

1. Add an alias "ExternalDNSallowed" (or some such name). Add all the LAN IP addresses of systems that are allowed to use an external DNS directly.
2. Add an alias "PermittedDNSservers" (or some such name). Add the IP addresses of external DNS servers you allow to be used (e.g. 8.8.8.8 and 8.8.4.4)
3. Add a firewall rule on LAN permitting IPv4, TCP+UDP, source "ExternalDNSallowed", destination "PermittedDNSservers", port 53.
4. Move the rule up before the wildcard rule that blocks everything to port 53.