Problem DNS - LAN
-
Hello
clients on the LAN do not want to put any DNS, but all the clients on the LAN must take the DNS automatically imposed on pfSense
This is possible to do it?
thank you very much
-
If you are using static IP entered on each LAN client, then you must also enter the DNS. In IPv4 there is no way to just do a DHCP request to get the DNS address.
I suggest that you use DHCP on LAN. Then in the pfSense DHCP server, allocate a static-mapped IP address to each client.
I do it that way for all the known client systems in an office. Then each client always gets the same IP address given by DHCP, and they get DNS server also given automatically. -
Hello
I then activated the DHCP server on the LAN, and I have also enabled the DNS Forwarder
Now the PCs on your LAN ethernet card have no fixed address and no DNS and everything works
Now I want to ask if you can block certain sites using DNS that is, for example, if I type https://www.facebook.com this site should not be open …
I have read on the forums that it is possible to make it through in DNS Forwarder but do not know how to do, you could give me a hand?
Hello and thank you very much
-
A quick search for "how to block facebook" would bring up this thread with a few ideas, and my post of how I do it:
https://forum.pfsense.org/index.php?topic=69860.msg383922#msg383922 -
Hello thanks for the tip
I wanted to ask the method that you are using seems a bit complicated to do it ….
while the method recommended by Nothing
Why do not you use DNS forwarder and add DNS A records *. Facebook.com to 127.0.0.1 for example?
To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP / UDP 53 and DNAT it to the pfsense box.
Much simpler and cleaner than using proxy I thinkIt seems easier
As I seem to have figured out I have to do two rules on the firewall and then add that record in DNS Forwarder?
Hello
-
Yes, if you want to block Facebook all the time, then a domain override to translate *.facebook.com to a local address that does not work will do the trick easily.
I have the firewall rule on a schedule, so Facebook works before and after normal office hours - we encourage our staff to come in early or stay late to do their FaceBooking (is that a word?) and to actually work during office hours :) - for that I need an alias and rule on a schedule. -
Hello
I went in the DNS Forwarder in pfSense
I have to set the parameters in the Override Host or Domain in Override?
thanks
-
Domain Overrides
Domain put facebook.com - that will include everything ending with facebook.com
In "IP address" put "!" - it is documented on the GUI page: "Or enter ! for lookups for this host/subdomain to NOT be forwarded anywhere."
Now it will look those up itself. Of course they are not in the local hosts file, so it will very quickly return a not found NXDOMAIN. -
Hello I have done in this way, is that right?
-
That will work. But if you put "!" in the IP Address field, the facebook block will happen a little quicker for users, because DNS forwarder will immediately be able to send back a "not known".
-
Hello I have done as you suggested and you can see it in the picture but if u go https://www.facebook.com opens the page http://www.facebook.com while I did not open the page
What should I do so that when I type https://www.facebook.com?
thank you very much
-
Hello I have a problem I do not know how I did it but now I do not work anymore …
I do a summary of my situation
I have a LAN in which the clients have DHCP enabled and have no value in the DNS
pfSense in after I enabled the DNS Forwarder and DHCP Server with the DNS values (see first image)
after going to the Dashboard I have those values of the DNS (see picture2)
My question is what to set in the General Setup (see image3)
Wondering if anyone could give me a hand
thank you very much
-
If you are happy to use DNS Forwarder (a good thing, IMHO) then do not put anything in the DHCP "DNS Servers" - DHCP will give the pfSense LAN IP as the DNS server.
Then put multiple real public DNS servers in General Setup - e.g. 8.8.8.8 and 8.8.4.4 (Google). Or you can use OpenDNS, or your ISP DNS servers or… - DNS Forwarder will use those to resolve queries. -
Hello in General setup I put these settings
-
Hello while I put these in DNS Forwarder settings
-
In DHCP Server, you need to remove 8.8.8.8 from DNS Servers.
At the moment, your clients are getting 8.8.8.8 as their DNS server - so they are going straight to Google for DNS. They need to go to pfSense DNS Forwarder, then they will get the facebook.com restriction. -
Hello can you tell me how you can be bet all the clients on the LAN to the DNS Forwarder in pfSense?
Hello and thank you very much
-
"all the clients on the LAN to the DNS Forwarder in pfSense?"
This is the default configuration of pfsense dhcp server - to point to itself as dns. So what do you mean how would you do it? Leave the dns servers boxes in your dhcp server setup blank
NOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.
Bing Bang zoom all dhcp clients of pfsense point to pfsense for dns. If your talking about them manually putting in something else - then just create a firewall rule that prevents outbound on 53 udp/tcp and only allows it to pfsense IP. Or create a forward that forwards dns to pfsense IP.
Generally speaking whatever you hand out in dhcp is what your users should be using - why would they not use what the dhcp server sends them?
-
Hello and thanks to all
I make a list of the various settings to be made for pfSense is used as a DNS Forwarder
- In the DHCP Server to enable the DHCP server on the LAN and set the DNS
- In DNS Forwarder and turn it on, put in the domains of the block to facebook
- In the General Setup does not put any value in the DNS
- After creating the two rules on the firewall
Now I have a doubt whether in the General Setup I have set some parameters that you can see in the picture?
Thanks to all
-
- In the General Setup does not put any value in the DNS
If you have DHCP on WAN then check "Allow DNS server list to be overridden by DHCP/PPP on WAN" - then pfSense will get upstream DNS from the ISP DNS server/s.
If you have static IP on WAN, then put DNS server/s in the boxes in General Setup. Use the IP addresses of your ISP DNS servers, or some public DNS (Google, OpenDNS…) Then pfSense will get upstream DNS from these.
In all the above, the LAN clients will still get the pfSense LAN IP (DNS Forwarder)as their DNS server, which is what you want.
