Pfsense 2.3.1 with OpenDNS (Web filtering)



  • How to configure Pfsense with OpenDNS (Web filtering)

    Requirements

    1. Install pfsense 2.3.1 (More than one Dynamic DNS included in this version)
    2. Sign up with OpenDNS
    3. Configure your network on OpenDNS and don’t forget to configure your web filter settings)

    Pointing your network to OpenDNS

    Assuming that you have completed the above requirements, first you have to change your DNS on pfsense to OPENDNS. To do this, go to Systems > General Setup. Under DNS Server Settings
    DNS Server 1: 208.67.222.222
    DNS Server 2: 208.67.220.220
    DNS Server Override: Unchecked
    Disable DNS Forwarder: Checked
    Once you finished, click Save to save all the setting you entered

    DNS Resolver & Forwarder

    Once you completed the above process, you need to disable DNS Resolver and enable DNS Forwarder.
    (I am not sure if DNS Resolver can be configured with OpenDNS, I tried to configure it but no luck. With DNS Forwarder, everything work well. Maybe someone can help out to explaining it WHY)
    To do this, you need to go to Services > DNS Resolver > Enable: (Unchecked)
    After that, Go to Services > DNS Forwarder > Enable: Checked
    Interfaces: All
    Click Save

    Dynamic DNS

    When finished, Go to Services > Dynamic DNS > Add
    In this case, I’ll be using OpenDNS but you can pick any services that you like.
    Service Type: OpenDNS
    Interface to Monitor: WAN
    Hostname: opendns.com
    MX: leave blank
    Wildcards: Unchecked
    Verbose Logging: Checked
    Username: email address that you registered with on OpenDNS
    Password: Your Password 
    Confirm: Your Password again
    Description: You can enter “OpenDNS Account”
    Save setting.

    Note: If the cached ip is not available, check you settings again. If you see a green ip, everything is okay.

    Redirecting all DNS Requests to Pfsense

    In some cases, some users can bypass a configured DNS by changing their local DNS to other DNS ips. To avoid it, go to this link: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    Another option is to block Local DNS configured on a Computer.
    To do this, you have to create two LAN Firewall Rules. One rule that allow all requests from pfsense local DNS and the second one will block all requests from external DNS.
    Firewall > Rules > LAN > Add with up arrow
    Action: Pass
    Interface: Lan
    Address Family: IPv4
    Protocol: TCP/UDP
    Source: Invert match-Unchecked/ ANY
    Destination: LAN Address
    Destination port range: DNS (53)
    Log: Checked if you like
    Description: Enter smth related to this rule.
    Click Save
    After that, copy the same rule and change the following settings.
    Action: Block and Destination: Any. Other settings remain the same.

    I hope that this howto help you alot.

    Secondly, big thanks to pfsense team for releasing pfsense 2.3.1  ;D
    You guys are the best.



  • @tekitaamtk:

    How to configure Pfsense with OpenDNS (Web filtering)

    DNS Resolver & Forwarder

    Once you completed the above process, you need to disable DNS Resolver and enable DNS Forwarder.
    (I am not sure if DNS Resolver can be configured with OpenDNS, I tried to configure it but no luck. With DNS Forwarder, everything work well. Maybe someone can help out to explaining it WHY)

    Hello!

    Another option is to disable only DNSSEC in the DNS Resolver, it seems that DNS Resolver's implementation of DNSSEC is not compatible with OpenDNS. Everything else in the DNS Resolver may/ should remain on default. It works.

    Thank you!


  • Rebel Alliance Global Moderator

    "it seems that DNS Resolver's implementation of DNSSEC is not compatible with OpenDNS"

    huh??  You mean to say that opendns does not support dnssec..  Which they don't.. It's not an issue of the implementation of dnssec its that opendns does not support it at all.

    You can use the forwarder mode of unbound with opendns - but you would have to disable dnssec because openvpn does not support it.

    edit:  Just noticed this is OLD thread.. Why did it pop up as new?  Did someone spam it and then the spam got removed??



  • May I ask how you set up your Pfsense to auto-update the cached ip whenever your ISP changes your IP (dynamic ip)?  My pfsense box was able to update my dyndns ip, but not my opendns ip.

    TIA!

    ast



  • @ast:

    May I ask how you set up your Pfsense to auto-update the cached ip whenever your ISP changes your IP (dynamic ip)?  My pfsense box was able to update my dyndns ip, but not my opendns ip.

    Opendns uses dns-o-matic.com for dynamic dns updates to opendns. You can then configure dns-o-matic to update other dynamic dns providers or just define additional updaters in pfsense.

    Kage_



  • ![why error?? I try follow the step but doesn't work the web filtering block web URL](0_1542638672815_676e5aea-8968-44c3-927c-61475f0dab52-image.png image url)