Route DNS for one client to specific DNS server
-
"Not sure why the reason makes any difference to coming up with a solution, but here's the scenario:"
The reason is more of fully understanding what your goal is vs just what you believe is the solution so that you can attack the problem from other points of view. Understanding actual "reason" for what your trying to accomplish gives everyone more understanding of the problem to maybe point out that its just the wrong way to accomplish the goal, etc.
So now that I understand your problem I would say the way to do it would be an actual forward/nat where you have the source IP and direct their dns query no matter where its going to where you want. You could have rules for all your devices, different rules pointing them to whatever dns you want - and then just enable/disable the rules as needed
example - see attached
This way does not matter what the device gets from dhcp, does not matter what domain they are looking for, you point their dns where ever you want. The only thing that might be a problem is local cache on the device, etc. But a reboot/clear might be easier than changing their dns on the device, etc.
-
There is going to be an inherently difficult issue with using a single caching DNS forwarder/resolver to do this. I cam imagine real situations like this in a multi-office complex with shared internet.
Company1 on LAN1 want to use OpenDNS servers, because they are doing some name-content filtering for Company1
Company2 on LAN2 want to use DynDNS servers, because they are doing some different name-content filtering for Company2
Company3 on LAN3 want to use Google servers, they don't want an filtering…The trouble is that the DNS forwarder would have to keep track of which names in its cache had been resolved for which group (LAN subnet) of clients, as well as making upstream requests to the right name server based on the requesting client. There is just nothing like this in dnsmasq.
You could allocate them static IPs in DHCP and with each of those give directly the outside DNS servers you want them to use. Then you can change that entry in DHCP server, and then disconnect/reconnect the device, so it changes its DNS servers.
-
and it will be nice when these content providers get with the modern world - the internet is everywhere, content should no longer be licensed by country/region/continent… If someone provides free content, then provide it to the world. If it is paid content, then allow the person who has paid (has a password/authentication token...) to access the content from anywhere in the world.
This is just so silly having people signing up for VPN connections to/from all combinations of countries just so they can appear to come from some other country and thus get access to the content they want!!! -
I use a VPN to access BBC iPlayer content from my PCs, but this is not possible from my Samsung TV or WD TV Live unit. I could do it with pfSense, but then again I run into the problem of every device on the LAN being routed through the VPN when I only want one to be.
It isn't exactly easy to switch back and forth quickly still though? I use a VPS VPN to do this on my PC and phone.
-
If pfsense makes the vpn connection, just use policy based routing to route your different devices either down the vpn or out your normal connection.
-
I actually considered routing all DNS from the desired devices to the DNS server of my choice but this would introduce a new problem. When you use a DNS unblocker service you are taking a gamble the provider won't play fast and loose with your lookup requests. If all DNS requests go through the unblocker then you are open to malicious behaviour. Using pfSense domain overrides prevents this since the unblocker DNS is only used for the specified domains. When you connect to your online banking site, for instance, you use your regular DNS, which is much safer. For this reason forwarding all DNS from a specified source IP address is risky.
What I really would like is to be able to specify domain overrides that are tied to specific source IP addresses. I tried using the "Source IP" field when setting up the domain overrides (I know it is not designed for this but I thought it might work), but pfSense won't let me enter a local IP address.
"Not sure why the reason makes any difference to coming up with a solution, but here's the scenario:"
The reason is more of fully understanding what your goal is vs just what you believe is the solution so that you can attack the problem from other points of view. Understanding actual "reason" for what your trying to accomplish gives everyone more understanding of the problem to maybe point out that its just the wrong way to accomplish the goal, etc.
So now that I understand your problem I would say the way to do it would be an actual forward/nat where you have the source IP and direct their dns query no matter where its going to where you want. You could have rules for all your devices, different rules pointing them to whatever dns you want - and then just enable/disable the rules as needed
example - see attached
This way does not matter what the device gets from dhcp, does not matter what domain they are looking for, you point their dns where ever you want. The only thing that might be a problem is local cache on the device, etc. But a reboot/clear might be easier than changing their dns on the device, etc.
-
Interesting thought, not sure how to do this with pfSense though. I have OpenVPN set up for incoming connections to my LAN and I have a client set up on my laptop to connect to it, but I've never done outgoing connections from pfSense, nor set up policies like you suggest.
If pfsense makes the vpn connection, just use policy based routing to route your different devices either down the vpn or out your normal connection.
-
Agreed, but I think part of it is that different contries/regions have different copyright laws. I'm no fan of Big Content, but in their defence in this particular case releasing media operating under Euro copyright law in the US, for instance, may terminate copyright protection for that content in the US. Even though the impediments can be sidestepped via VPN or unblocker DNS, the fact that the content companies at least show the effort to prevent unauthorized consumption of media licensed for another market allows them to maintain copyright protections in all regions.
Still… very annoying for sure.
and it will be nice when these content providers get with the modern world - the internet is everywhere, content should no longer be licensed by country/region/continent… If someone provides free content, then provide it to the world. If it is paid content, then allow the person who has paid (has a password/authentication token...) to access the content from anywhere in the world.
This is just so silly having people signing up for VPN connections to/from all combinations of countries just so they can appear to come from some other country and thus get access to the content they want!!! -
I use a VPN to access BBC iPlayer content from my PCs, but this is not possible from my Samsung TV or WD TV Live unit. I could do it with pfSense, but then again I run into the problem of every device on the LAN being routed through the VPN when I only want one to be.
It isn't exactly easy to switch back and forth quickly still though? I use a VPS VPN to do this on my PC and phone.
If you wanted quick and simple for others to change as well you could do something like run a switch off one interface with a second dnsmasq process that shoves all traffic to the other dns. just replug cables to switch haha
-
Both your issues, 1) having a VPN for getting content from other regions affecting general browsing, and 2) fearing that the site-wide change of DNS opens you up to security issues, inspired me to find a better solution. Turns out, they can both be solved using a feature in dnsmasq not readily exposed in the pfSense UI. By using the field Services | DNS Forwarder | Advanced and specifying for example
server=/netflix.com/208.122.23.23 server=/netflix.net/208.122.23.23then only requests for *.netflix.com/net goes to the "rogue" DNS provider (example shows IP of DNS for unblock-us.com)
See http://www.gundersen.net/american-netflix-on-ipad-and-chromecast-without-vpn-using-pfsense/ for more thorough details.
-
And I think that should work by putting those in Domain Overrides - it makes essentially the same "server=" command parameter to dnsmasq in the code underneath.
-
While the dnsmasq startup log gives the same message (using nameserver xxxx for domain yyyy.com) for both alternatives (server=/… in advanced, and using domain override), the documentation does not mention any wildcard functionality and seems to indicate that domain override is for the specific domain only. It would be great to be able to clarify this in the docs. How can we see exactly what startup parameters the domain override adds to dnsmasq?
-
The dnsmasq parameters are all put on the command line, no conf file is written. I guess it would be nicer to write a conf file and use that? But someone has to care enough to code it :)
The whole command can be seen with:ps auxww | grep dnsThe GUI has this explanation text:
Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain
It actually means that requests for any names inside this domain (i.e. host names in the domain and any subdomain) are sent to the specified DNS server.
Suggest some improved words to go here and there would be no problem changing that text. -
You are absolutely right, the -server= entries are exactly the same. How would I go about getting the docs and label of in pfSense clarified. Post a bug report?
- Docs: https://doc.pfsense.org/index.php/DNS_Forwarder
New paragraph just before "On pfSense 2.1, Host Overrides work for both IPv4 and IPv6 addresses." (using myspace.com as example since this page already uses this domain for another example)
"Domain overrides have an implicit wildcard before the domain. An entry for myspace.com will also override all subdomains of myspace.com."
- GUI: http://10.0.0.1/services_dnsmasq.php
Change label "Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain." to "Entries in this area override an entire domain, and subdomains, by specifying an authoritative DNS server to be queried for that domain."
I have also updated my blog post http://www.gundersen.net/american-netflix-on-ipad-and-chromecast-without-vpn-using-pfsense/
-
If you are happy to start learning how to contribute minor code changes, then make an account on https://github.com/pfsense
On GitHUb, drill down to /usr/local/www/services_dnsmasq.php
Click on Edit, it makes a fork/branch for you.
Make the change to the file, put subject and comments and Commit".
Press the button to make a Pull Request.
It will be reviewed by the devs, and hopefully accepted - your minor enhancement to the explanation seems a reasonable thing to me. -
Thanks, I've done so for the code part, but what about the docs?
