[SOLVED] Different DNS forwarders for VLAN's
-
You could also just replace the word "protected" with "restricted" to be more accurate..
-
Done! 8)
-
Hi,
Can you please post a screenshop of your NAT rules and setup page for forwarder and resolver,
thanks,
molykuleHi Steve!
Just wanted to let you know I implemented the double DNS service per your advise.
DNS forwarder on port 53.
DNS resolver on port 1053. Unticked the box "Enable Forwarding Mode".On my (normal) LAN, WIFI and WIFI_GUEST networks I have setup NAT rules to only allow DNS traffic to my pfSense box.
All other (for instance 8.8.8.8 ) will forward to the pfSense box.
This way no one connected to those network cannot use any other DNS service besides the pfSense box.On my LAN_ADMIN and WIFI_ADMIN networks I have set a NAT rule for all DNS traffic (port 53) to my pfSense box to translate that in to port 1053.
Works as advertised!
LAN, WIFI and WIFI_GUEST are restricted with OpenDNS web filtering.
LAN_ADMIN and WIFI_ADMIN are using the DNS resolver and are free to go anywhere.
8)Thanks again!
[EDIT]
Changed protected to restricted. :) -
Have you attempted this and it didn't work as expected?
Steve
-
Hi Steve,
Many thanks for prompt reply. I am not very good with dns setup. I have the Unbound working on LAN, OPT1 and OPT2. I am lost at the NAT setting on forwarder and the setup page on forwarder, as to which settings to choose.
I want to use DMZ on DNS forwarder. So i have to choose DMZ and DMZ IPv6 Link-Local in interfaces and choose under DNS Query Forwarding - Do not forward private reverse lookups
Add port 5353 under port number, and then port forward 5353 on dmz interface to port 53 for dmz interface.
Is this all correct. I have pasted screenshot of my NAT rules. I have a feeling is wrong. Is there any additional rule on NAT or port-forward i have to add.thank you very much for helping me,
molykule
 -
Hi,
Can somebody who has done please help me out,
thanks,
molykule -
" which the SSID_ADMIN connects to, to have a different dns forwarder."
What exactly are you wanting??? Your devices that you want to resolve your local stuff should point to pfsense or some local dns. Devices like guest that you don't want to resolve your local stuff.. Just hand them a public dns.. Your thinking about this too more, or not at all if you look at it another way ;)
There is zero reason to use a gateway for dns, etc. Your devices on our network that need to resolve your local stuff can just ask pfsense - be it using a forwarder or the default resolver so you can resolve your local stuff. Guests or devices you don't want or need to resolve stuff - just let them use some public dns like google or open or your isp, etc. Just hand them those via dhcp if you want to be nice, etc.
-
Hi John,
I have 2 dual NIC which gives me LAN, OPT1, OPT2 and DMZ. I am using Unbound and pfblockerng with host override for safe youtube and safe google.
The problem comes when i want to play youtube, it filters that out assuming it as an adult content.
I want to have DMZ free to go anywhere. Therefore i was trying to remove it from Unbound and move it to forwarder.
As, I understand, you are saying that i can remove the DMZ interface from unbound and then in its dhcp server configuration page setup 8.8.8.8 or any other dns setting for it.
Is it correct or i am still worng,
Many thanks for taking time and helping me out,
molykule -
You are correct.. does your dmz need to resolve anything local? Would seem unlikely to me that a dmz would need to resolve internal stuff. Since normally your dmz would be restricted from talking to stuff on your other networks anyway - this is what makes it a dmz ;)
So yeah if you want to surf porn on this site and pfblocker is blocking you - then just let the dmz use google or open or your isp or any other public dns out there 4.2.2.2 for example.. Either set that on machine directly or hand that out via dhcp to the box in your "dmz"
-
Last come back here but yeah it sounds like you can just hand external DNS servers to DMZ clients if they only need to resolve unfiltered external hosts.
No need to bother with dual DNS on the firewall etc.
Steve
