Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Different DNS forwarders for VLAN's

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 8.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Nice.  :)

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        You could also just replace the word "protected" with "restricted" to be more accurate..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P Offline
          Panja
          last edited by

          Done!  8)

          1 Reply Last reply Reply Quote 0
          • M Offline
            molykule
            last edited by

            Hi,

            Can you please post a screenshop of your NAT rules and setup page for forwarder and resolver,

            thanks,
            molykule

            @Panja:

            Hi Steve!

            Just wanted to let you know I implemented the double DNS service per your advise.
            DNS forwarder on port 53.
            DNS resolver on port 1053. Unticked the box "Enable Forwarding Mode".

            On my (normal) LAN, WIFI and WIFI_GUEST networks I have setup NAT rules to only allow DNS traffic to my pfSense box.
            All other (for instance 8.8.8.8 ) will forward to the pfSense box.
            This way no one connected to those network cannot use any other DNS service besides the pfSense box.

            On my LAN_ADMIN and WIFI_ADMIN networks I have set a NAT rule for all DNS traffic (port 53) to my pfSense box to translate that in to port 1053.

            Works as advertised!

            LAN, WIFI and WIFI_GUEST are restricted with OpenDNS web filtering.
            LAN_ADMIN and WIFI_ADMIN are using the DNS resolver and are free to go anywhere.
            8)

            Thanks again!

            [EDIT]
            Changed protected to restricted. :)

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Have you attempted this and it didn't work as expected?

              Steve

              1 Reply Last reply Reply Quote 0
              • M Offline
                molykule
                last edited by

                Hi Steve,

                Many thanks for prompt reply. I am not very good with dns setup. I have the Unbound working on LAN, OPT1 and OPT2. I am lost at the NAT setting on forwarder and the setup page on forwarder, as to which settings to choose.

                I want to use DMZ on DNS forwarder. So i have to choose DMZ and DMZ IPv6 Link-Local in interfaces and choose under DNS Query Forwarding - Do not forward private reverse lookups
                Add port 5353 under port number, and then port forward 5353 on dmz interface to port 53 for dmz interface.
                Is this all correct. I have pasted screenshot of my NAT rules. I have a feeling is wrong. Is there any additional rule on NAT or port-forward i have to add.

                thank you very much for helping me,
                molykule

                ![nat rules.JPG_thumb](/public/imported_attachments/1/nat rules.JPG_thumb)
                ![nat rules.JPG](/public/imported_attachments/1/nat rules.JPG)

                1 Reply Last reply Reply Quote 0
                • M Offline
                  molykule
                  last edited by

                  Hi,

                  Can somebody who has done please help  me out,

                  thanks,
                  molykule

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    " which the SSID_ADMIN connects to, to have a different dns forwarder."

                    What exactly are you wanting???  Your devices that you want to resolve your local stuff should point to pfsense or some local dns.  Devices like guest that you don't want to resolve your local stuff.. Just hand them a public dns.. Your thinking about this too more, or not at all if you look at it another way ;)

                    There is zero reason to use a gateway for dns, etc.  Your devices on our network that need to resolve your local stuff can just ask pfsense - be it using a forwarder or the default resolver so you can resolve your local stuff.  Guests or devices you don't want or need to resolve stuff - just let them use some public dns like google or open or your isp, etc.  Just hand them those via dhcp if you want to be nice, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      molykule
                      last edited by

                      Hi John,

                      I have 2 dual NIC which gives me LAN, OPT1, OPT2 and DMZ. I am using Unbound and pfblockerng with host override for safe youtube and safe google.
                      The problem comes when i want to play youtube, it filters that out assuming it as an adult content.
                      I want to have DMZ free to go anywhere. Therefore i was trying to remove it from Unbound and move it to forwarder.
                      As, I understand, you are saying that i can remove the DMZ interface from unbound and then in its dhcp server configuration page setup 8.8.8.8 or any other dns setting for it.
                      Is it correct or i am still worng,
                      Many thanks for taking time and helping me out,
                      molykule

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        You are correct.. does your dmz need to resolve anything local?  Would seem unlikely to me that a dmz would need to resolve internal stuff. Since normally your dmz would be restricted from talking to stuff on your other networks anyway - this is what makes it a dmz ;)

                        So yeah if you want to surf porn on this site and pfblocker is blocking you - then just let the dmz use google or open or your isp or any other public dns out there 4.2.2.2 for example.. Either set that on machine directly or hand that out via dhcp to the box in your "dmz"

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Last come back here but yeah it sounds like you can just hand external DNS servers to DMZ clients if they only need to resolve unfiltered external hosts.

                          No need to bother with dual DNS on the firewall etc.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.