Route all DNS requests to 1 server
-
This wiki entry shows the general concept:
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSenseApply and adjust for your own usecase.
-
Thanks so much, I will try it now.
-
Hey, can I possibly ask what they mean with this "Before adding this rule, ensure the DNS Forwarder or DNS Resovler is configured to bind and answer queries on Localhost, or All interfaces."? sorry I am sure this is very simple but I really have not used it a whole bunch. I have seen "DNS Forwarder" in some menu but do not know what they want me to do with it.
-
The wiki page assumes that you want to redirect traffic to your own local dns resolver / forwarder.
In your case you don't want to rewrite to the local one, but instead to another external one.Replace the 127.0.0.1 in the NAT rule from the page with 185.51.194.194.
-
I used a different method to allow access to 2 DNS outside servers and block all other DNS access. I used firewall rules. Does it make any difference with pfsense in the way it is done?
Is one way faster than the other?I included a picture of my way.
-
The port forward method will resolve names no matter what DNS servers are configured on the client. Except 127.0.0.1, something on the local subnet, or something else that isn't sent to the firewall.
The method you described will limit DNS to just those servers with pass rules.
Nothing wrong with either. It just depends on what you want.
-
I am still struggling to get this to work. Tried both ways and it does not block other dns servers. :( I must be doing something wrong but I do not know what it is.
-
Post what you've done.
-
Ok, so here it goes.
Background info: Modem has dns configured to 185.51.194.194
Step 1: Installed pfsense and configured it to work with 2 lan ports (one wan, other lan)
Step 2: Set DNS server on pfsense but it would simply not work (as in it was using some other local DNS server)
Step 3: Enabled DNS forwarder and DNS starts to work.
Step 4: Set Firewall Rule just like you did in that image but with DNS servers: 185.51.194.194 and 185.51.195.195
: Here are some images: http://s15.postimg.org/jni0kp2pn/Capture.png
: http://s15.postimg.org/4stf6it4r/Capture1.png
: http://s15.postimg.org/mk51kz8jf/Capture2.png
: http://s15.postimg.org/i22qsvshn/Capture3.png
: http://s15.postimg.org/p40of2w3f/Capture4.png
: http://s15.postimg.org/zct5kwk57/Capture5.png
Step 4: Tested to see if DNS servers were blocked/re routed using CMD on a Windows PC. Here is the result for the a ping to 84.200.69.80
: Image: http://s18.postimg.org/5rfccbydl/Capture6.pngI really am not sure if I am doing something wrong so please let me know if I am :) Basically what I am trying to do is ONLY use 185.51.194.194 or 185.51.195.195 as DNS server for my whole network. I used to block some well known DNS servers such as 8.8.8.8 and 8.8.4.4 but is there any way to re route all DNS requests to those 2 servers? Here is an image to blocked 8.8.8.8 : http://s9.postimg.org/d8gbqfjgv/Capture7.png
Here is also an image of ipconfig : http://s27.postimg.org/ujgm98zab/Capture8.png
Thanks so much for the help!!
-
Ok so I have removed the DNS that was set on my modem. The DNS I set in pfsense is working just fine but still need to either block some IP's or re route all DNS request to that server (185.51.194.194/185.51.195.195)
-
Ok, think it may be working now but can someone confirm with an image here: http://s22.postimg.org/y74d0soq9/Capture.png
-
Nah, still no luck… I can still ping other DNS servers and traffic is being sent to other DNS servers. :(
-
Well ping is ICMP.
You're making a rule for DNS (UDP port 53), not ICMP.
Of course you can still ping this address ;) -
Sorry guys, think I confused myself and all of you…. Can I do this on pfsense: https://getflix.zendesk.com/hc/en-gb/articles/202281524-Block-Public-DNS-Overview
Those IP's need to be blocked basically and I really have no idea of how to do it. Router can do it but was hoping I could do it with pfsense if possible. Thanks for all the help everyone!! :) -
You sort of need to separate blocking the IP addresses and blocking DNS.
There are two methods outlined in this thread.
The first forwards all queries made to any DNS server to a specific DNS server.
The second blocks queries to all DNS servers except those specified.
It sounds like you want the former. Just because you can ping doesn't mean the DNS isn't being forwarded as specified.
