DNS fowarder for specific people

killmasta93

Hi,
So i was wondering if someone could help me. I finally figured out how to block youtube with DNS forwarder and works great. But lets say I would want to block it for everyone except for 3 people. Would that be possible? or is there another way?

Thank you

EDIT:
would it be possible to block youtube though snort? instead

tim.mcmanus

I have no idea how you have your DNS and network set up, so I'll instead convey what I did to achieve the same thing.

I run an internal DNS server for my LAN and the servers/services running on it.  My infrastructure relies on that DNS server for all internal communications.  The administrators on the LAN use that DNS server for all queries as none are blocked on it.

I use OpenDNS for all clients on the LAN.  In this I've specifically blocked all of the "creepy" sites, so users get blocked when they do certain lookups.  The OpenDNS servers are the DNS servers given to all of my LAN clients.  My administrators manually enter in the DNS server on the LAN (10.0.1.240) to use that instead of OpenDNS.

If I wanted to, I could create a rule that only allows port 53 to go to OpenDNS's name servers, and create an exemption for my LAN DNS server so those lookups worked.

If you can post more information about your network and the services on it, I might be able to help.  However, I wanted to at least share my solution to see if it might help you resolve your issue.

killmasta93

Hi,

Thank you for the reply. I was thinking to use OpenDNS but i use another server for the DNS. See picture below for my setup. I was maybe thinking Snort could do the trick but had no luck so far :(

Also not sure if having the 127.0.0.1 is a good idea?

Thank you

KOM

One method would be to block all DNS for your regular users by blocking UDP port 53 on LAN and force them to use your DNS Forwarder, but for your special users you can have a firewall rule that allows them out direct on UDP 53.  Then they could use any 3rd-party DNS instead of yours.

killmasta93

but for your special users you can have a firewall rule that allows them out direct on UDP 53.  Then they could use any 3rd-party DNS instead of yours.

Hi,
Thank you for the quick reply, but if they use the 3rd party DNS lets say 8.8.8.8 wouldn't they have trouble communicating with the server DNS (192.168.1.202)?

Thank you

tim.mcmanus

I'm assuming your .202 machine is a Domain Controller, and that's why you need that as your primary DNS machine.

You can still do what you want to do.

In the three user's DNS settings on their PCs, manually enter in 8.8.8.8 as the first DNS server to do lookups and then 192.168.1.202 as the second DNS server.

This line in the FAQ is a good description:  "The DNS forwarder will answer DNS requests from clients, and in turn attempt to resolve queries using all currently available configured DNS servers. This way, it is not necessary to configure public DNS servers directly on client systems."

For the three users, you're going to manually configure public DNS servers to override this feature.

That should work.

killmasta93

tim.mcmanus thanks the for the reply.

In the three user's DNS settings on their PCs, manually enter in 8.8.8.8 as the first DNS server to do lookups and then 192.168.1.202 as the second DNS server.

something like the picture below?

Which therefore they can override the dns because according the the fire rule that I would create? Meaning no one else could that.

Also  will they still be able to use communicate to the domain controller without slow response rate?

Thank you

chris4916

I know it doesn't help neither answers to your specific question, however there is a couple of point I'd like to raise.

1 - blocking or allowing access to web sites is better handled using proxy than DNS, even if it can somewhat be achieved with DNS and fake entries

2 - DNS, as protocol, doesn't require authentication. Thus using whatever specific DNS setting "for specific people" is quite challenging, from technical standpoint. You may achieve "specific DNS setting for specific IP" (or specific workstation) but this is different and by no mean linked to people.

tim.mcmanus

@killmasta93:

something like the picture below?

Which therefore they can override the dns because according the the fire rule that I would create? Meaning no one else could that.

Also  will they still be able to use communicate to the domain controller without slow response rate?

Thank you

Yes, your picture is accurate.

I believe that as long as they are not querying the router or AD, it should work.  I haven't tested it, but in theory it should.

I don't know specifically how Windows does DNS lookups, but it should query the first DNS server, and if it doesn't get a response, it'll go to the second DNS server for the lookup.

This also isn't bulletproof.  I've had some clients get stuck querying the second server, or if the client queries all servers in parallel, it'll use the first response it gets.

chris4916 brings up a good point, there are better ways to do this, but they are more involved.  You should consider all of your options.

killmasta93

@chris your apsouluty right. But in this case i tried blocking youtube though squidGuard which works only for http but https like facebook work perfect blocking though IP but youtube its impossible i tried every google IP but nothing. My hopes are for E2guardian  :)

@tim thank you again ill give it a try let you know but i think the client will have some trouble every now and then because i remember one time i made a VLAN with 8.8.8.8 DNS and there was trouble connecting to the server.

Thank you again

chris4916

@killmasta93:

@chris your apsouluty right. But in this case i tried blocking youtube though squidGuard which works only for http but https like facebook work perfect blocking though IP but youtube its impossible i tried every google IP but nothing. My hopes are for E2guardian  :)

Based on what you describe, I believe you deployed Squid in transparent mode. This doesn't work because transparent proxy can't handle HTTPS.
You have to deploy Squid in explicit (standard non-transparent) mode.
Furthermore, be aware that even if it worked, this wouldn't have solved your issue about profiling which requires authentication in order to identify who are these specific people. This requires explicit proxy too.

With explicit proxy, you can achieve exactly what you are asking for:

• identifying people (thanks to authentication)
• http AND https access control

no need to fight with IP addresses  :)

I know that you will tell me that you can't maintain proxy settings on each device: that answer for that is WPAD  8)

killmasta93

Based on what you describe, I believe you deployed Squid in transparent mode. This doesn't work because transparent proxy can't handle HTTPS.
You have to deploy Squid in explicit (standard non-transparent) mode.
Furthermore, be aware that even if it worked, this wouldn't have solved your issue about profiling which requires authentication in order to identify who are these specific people. This requires explicit proxy too.

true true but then comes the

I know that you will tell me that you can't maintain proxy settings on each device:

which sucks but

that answer for that is WPAD

I have been following https://forum.pfsense.org/index.php?topic=93060.msg517133#msg517133

I wonder if he had any luck?  :o

chris4916

@killmasta93:

which sucks but

Why? HTTP proxy is more efficient than what you try to implement because it has been designed for this purpose :)

I have been following https://forum.pfsense.org/index.php?topic=93060.msg517133#msg517133
I wonder if he had any luck?  :o

I don't get your point. Do you mean to say that you are waiting for this guy to successfully deploy WPAD before you give a try?  :o
There is no feedback, for the time being from  this guy however making your decision based on some posts from people facing problem is a weird approach, IMHO. But, it's obviously up to you to decide  ;)

killmasta93

Why? HTTP proxy is more efficient than what you try to implement because it has been designed for this purpose

It is more efficient i meant the part that sucked is installing the certs. If it was around 10 computers fine but if there's 500 or cellphones thats a problem with Squid in explicit mode

I don't get your point. Do you mean to say that you are waiting for this guy to successfully deploy WPAD before you give a try?

I already tried thinking maybe 2.2.2 would work while hes on 2.1.5 but i did not get as far as he did it blocked all http and https sites lolz but i love the idea with wpad but i wish there was a detailed guide.

Thanks again for everything

chris4916

I suppose there is some misunderstanding here.

1 - Deploying standard (explicit) HTTP proxy does not require any cert to be deployed. with neither HTTP nor HTTPS. Reason being that HTTPS connection is between web server and browser.
2 - WPAD stuff doesn't depend on pfSense, altough you may want to have pfSense handling some WPAD related stuff like DNS or DHCP or even proxy.pac
3 - I suspect there is something mixed up with MITM like implementation. While strongly suggesting not to move in this direction, In case you do want to deploy it, please understand this is something different from the general behaviour with HTTP proxy and WPAD.

Give a try with WPAD + HTTP proxy in explicit mode without HTTPS interception (MITM): it will give you capability to profile access to internet (who can do what) and access control to HTTP and HTTPS URLs.
Obviously, with such implementation, there is no content filtering for HTTPS web sites but this is another story  ;)