Route all DNS requests to 1 server

Derelict

The port forward method will resolve names no matter what DNS servers are configured on the client. Except 127.0.0.1, something on the local subnet, or something else that isn't sent to the firewall.

The method you described will limit DNS to just those servers with pass rules.

Nothing wrong with either. It just depends on what you want.

User40405

I am still struggling to get this to work. Tried both ways and it does not block other dns servers. :( I must be doing something wrong but I do not know what it is.

Derelict

Post what you've done.

User40405

Ok, so here it goes.

Background info: Modem has dns configured to 185.51.194.194

Step 1: Installed pfsense and configured it to work with 2 lan ports (one wan, other lan)
Step 2: Set DNS server on pfsense but it would simply not work (as in it was using some other local DNS server)
Step 3: Enabled DNS forwarder and DNS starts to work.
Step 4: Set Firewall Rule just like you did in that image but with DNS servers: 185.51.194.194 and 185.51.195.195
          : Here are some images: http://s15.postimg.org/jni0kp2pn/Capture.png
                                              : http://s15.postimg.org/4stf6it4r/Capture1.png
                                              : http://s15.postimg.org/mk51kz8jf/Capture2.png
                                              : http://s15.postimg.org/i22qsvshn/Capture3.png
                                              : http://s15.postimg.org/p40of2w3f/Capture4.png
                                              : http://s15.postimg.org/zct5kwk57/Capture5.png
Step 4: Tested to see if DNS servers were blocked/re routed using CMD on a Windows PC. Here is the result for the a ping to 84.200.69.80
          : Image: http://s18.postimg.org/5rfccbydl/Capture6.png

I really am not sure if I am doing something wrong so please let me know if I am :) Basically what I am trying to do is ONLY use 185.51.194.194 or 185.51.195.195 as DNS server for my whole network. I used to block some well known DNS servers such as 8.8.8.8 and 8.8.4.4 but is there any way to re route all DNS requests to those 2 servers? Here is an image to blocked 8.8.8.8 : http://s9.postimg.org/d8gbqfjgv/Capture7.png

Here is also an image of ipconfig : http://s27.postimg.org/ujgm98zab/Capture8.png

Thanks so much for the help!!

User40405

Ok so I have removed the DNS that was set on my modem. The DNS I set in pfsense is working just fine but still need to either block some IP's or re route all DNS request to that server (185.51.194.194/185.51.195.195)

User40405

Ok, think it may be working now but can someone confirm with an image here: http://s22.postimg.org/y74d0soq9/Capture.png

User40405

Nah, still no luck… I can still ping other DNS servers and traffic is being sent to other DNS servers. :(

GruensFroeschli

Well ping is ICMP.
You're making a rule for DNS (UDP port 53), not ICMP.
Of course you can still ping this address ;)

User40405

Sorry guys, think I confused myself and all of you…. Can I do this on pfsense: https://getflix.zendesk.com/hc/en-gb/articles/202281524-Block-Public-DNS-Overview
Those IP's need to be blocked basically and I really have no idea of how to do it. Router can do it but was hoping I could do it with pfsense if possible. Thanks for all the help everyone!! :)

Derelict

You sort of need to separate blocking the IP addresses and blocking DNS.

There are two methods outlined in this thread.

The first forwards all queries made to any DNS server to a specific DNS server.

The second blocks queries to all DNS servers except those specified.

It sounds like you want the former. Just because you can ping doesn't mean the DNS isn't being forwarded as specified.