Rules for DNS traffic
-
Here's what i did , i have 2 linux servers as DNS "backend"
Set pfsense to ONLY use the two linux servers for DNS
System -> General Setup
Add the two servers , Don't allow DNS Server override , Disable DNS Forwarder.
I use Unbound as DNS Resolver
Services -> DNS Resolver
Enable DNS Query Forwarding
In DHCP Server assign pfsense interface as DNS server , think it's on by default.
In firewall rules , per interface.
Allow DNS to pfsense interface ip
Block DNS to ANYDNS might be both 53 & 853
/Bingo
-
Do you have own Zones on the "Local dns" ?
Then Unbound can be a bit tricky, in resolving rfc1918 ip'sI have 2 x 192.168.xx /24 ranges , and 2 x 10.xx /16 ranges locally
And the below pasted in Custom options remember to start with server:
server:
#Block FF DoH by defining use-application-dns.net
local-zone: "use-application-dns.net" staticprivate-domain: "yourdomain.org"
local-zone: "xx.168.192.in-addr.arpa." transparent
local-zone: "yy.168.192.in-addr.arpa." transparent
local-zone: "xx.10.in-addr.arpa." transparent
local-zone: "yy.10.in-addr.arpa." transparentThe first section should tell FireFox (FF) to disable DoH aka. Dns over HTTPS
-
Another trick instead of firewall rules, should be to portforward 53 & 853 to pfsense-ip 53 & 853
I haven't tried that , but i think it's in the "Book" , en excellent read (thnx Netgate) -
Thank you VERY much for your responses. Quick follow-up question though...
Why would I port forward to the IP of the pfSense itself, instead of the IP of the DNS server?
-
@StarsAndBars said in Rules for DNS traffic:
DNS server is 192.168.1.250 and I want any and all traffic to be directed to it for upstream resolution
So you have this NS forwarding where? Or resolving?
Normally you would point your client there, then have it forward to pfsense - which would resolve.
So pfsense would only point to itself, loopback 127.0.0.1. You would setup a domain override for your domain.tld so pfsense knows to go ask 192.168.1.250 for any of your domains and the reverse zones.
As to any other external, you could ether block that or redirect it to pfsense loopback.
-
Do you have a quick example of a domain override ??
I'm lazy ..I assume we're talking about Unbound
/Bingo
-
here
Scroll down in the unbound settings gui..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@StarsAndBars said in Rules for DNS traffic:
Thank you VERY much for your responses. Quick follow-up question though...
Why would I port forward to the IP of the pfSense itself, instead of the IP of the DNS server?
That would just seem more logic to me.
If possible don't even allow your clients to go to the DNS server.
Have them use the firewall, as it can protect it self.
I do that for both DHCP (dhcp relay) & DNS.I had an existing Linux DHCP & DNS structure before using pfSense.
@homeI must admit that ISC-DHCP is powerfull , but pfSense DHCP is so easy to setup.
@work
I Use pfSense for DNS & DHCP
And prays that someone would make a fix for unbound to allow it to record DHCP entries wo. having to restart , and cause a looooooonnng DNS outage (well enough to make the system feel unresponsive). So i don't use that function.
-
@johnpoz said in Rules for DNS traffic:
here
Scroll down in the unbound settings gui..
Arrghh .... That was easy
I did all that transparent stuff etc ....@OP
Use Johns tip , that's elegant -
@johnpoz The host on my LAN is a DNS server (pi-hole ad blocker, actually). It currently forwards upstream to Google DNS for now.
I want all DNS resolution requests from the LAN, regardless of the host/origin to be forced through the pi-hole so that ads and analytics requests can be blocked. I specifically do not want the pfSense device to do any resolution on its own for LAN clients (but what it does for its own purposes internally is ok). I am particularly interested in forcing devices with hard-coded DNS through the pi-hole for obvious reasons.
Thanks, I hope that clarifies what I am looking to do, so if you could help me tailor my config there, I would appreciate it. I am building a second DNS server for the LAN (192.168.1.251) in the same configuration as a backup/failover. So I would eventually want the rules to reflect that and cascade accordingly.
Thanks again for any insight you can provide.
-Rob
-
You might just hand out the ip addy of the pihole in the DHCP server definitions of the LAN.
Then on the LAN interface add an allow rule for pihole UDP 53
And Deny UDP 53 & 853 to any after the allow.That would cause your LAN to use just the pihole (as given out by dhcp)
The force part usually solves it self (i use pihole too) , it trued a few times on 8.8.8.8 , gives up.
And uses the DHCP given server (pihole) -
Or do the portforward trick along with the DHCP handing out pihole as DNS
https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html
Just substitute 127.0.0.1 with the pihole ip
Something like this
