Pfsense 2.3.1 with OpenDNS (Web filtering)

tekitaamtk

How to configure Pfsense with OpenDNS (Web filtering)

Requirements

1. Install pfsense 2.3.1 (More than one Dynamic DNS included in this version)
2. Sign up with OpenDNS
3. Configure your network on OpenDNS and don’t forget to configure your web filter settings)

Pointing your network to OpenDNS

Assuming that you have completed the above requirements, first you have to change your DNS on pfsense to OPENDNS. To do this, go to Systems > General Setup. Under DNS Server Settings
DNS Server 1: 208.67.222.222
DNS Server 2: 208.67.220.220
DNS Server Override: Unchecked
Disable DNS Forwarder: Checked
Once you finished, click Save to save all the setting you entered

DNS Resolver & Forwarder

Once you completed the above process, you need to disable DNS Resolver and enable DNS Forwarder.
(I am not sure if DNS Resolver can be configured with OpenDNS, I tried to configure it but no luck. With DNS Forwarder, everything work well. Maybe someone can help out to explaining it WHY)
To do this, you need to go to Services > DNS Resolver > Enable: (Unchecked)
After that, Go to Services > DNS Forwarder > Enable: Checked
Interfaces: All
Click Save

Dynamic DNS

When finished, Go to Services > Dynamic DNS > Add
In this case, I’ll be using OpenDNS but you can pick any services that you like.
Service Type: OpenDNS
Interface to Monitor: WAN
Hostname: opendns.com
MX: leave blank
Wildcards: Unchecked
Verbose Logging: Checked
Username: email address that you registered with on OpenDNS
Password: Your Password 
Confirm: Your Password again
Description: You can enter “OpenDNS Account”
Save setting.

Note: If the cached ip is not available, check you settings again. If you see a green ip, everything is okay.

Redirecting all DNS Requests to Pfsense

In some cases, some users can bypass a configured DNS by changing their local DNS to other DNS ips. To avoid it, go to this link: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

Another option is to block Local DNS configured on a Computer.
To do this, you have to create two LAN Firewall Rules. One rule that allow all requests from pfsense local DNS and the second one will block all requests from external DNS.
Firewall > Rules > LAN > Add with up arrow
Action: Pass
Interface: Lan
Address Family: IPv4
Protocol: TCP/UDP
Source: Invert match-Unchecked/ ANY
Destination: LAN Address
Destination port range: DNS (53)
Log: Checked if you like
Description: Enter smth related to this rule.
Click Save
After that, copy the same rule and change the following settings.
Action: Block and Destination: Any. Other settings remain the same.

I hope that this howto help you alot.

Secondly, big thanks to pfsense team for releasing pfsense 2.3.1  ;D
You guys are the best.

hutiucip

@tekitaamtk:

How to configure Pfsense with OpenDNS (Web filtering)

DNS Resolver & Forwarder

Once you completed the above process, you need to disable DNS Resolver and enable DNS Forwarder.
(I am not sure if DNS Resolver can be configured with OpenDNS, I tried to configure it but no luck. With DNS Forwarder, everything work well. Maybe someone can help out to explaining it WHY)

Hello!

Another option is to disable only DNSSEC in the DNS Resolver, it seems that DNS Resolver's implementation of DNSSEC is not compatible with OpenDNS. Everything else in the DNS Resolver may/ should remain on default. It works.

Thank you!

johnpoz

"it seems that DNS Resolver's implementation of DNSSEC is not compatible with OpenDNS"

huh??  You mean to say that opendns does not support dnssec..  Which they don't.. It's not an issue of the implementation of dnssec its that opendns does not support it at all.

You can use the forwarder mode of unbound with opendns - but you would have to disable dnssec because openvpn does not support it.

edit:  Just noticed this is OLD thread.. Why did it pop up as new?  Did someone spam it and then the spam got removed??

ast

May I ask how you set up your Pfsense to auto-update the cached ip whenever your ISP changes your IP (dynamic ip)?  My pfsense box was able to update my dyndns ip, but not my opendns ip.

TIA!

ast

Kage_

@ast:

May I ask how you set up your Pfsense to auto-update the cached ip whenever your ISP changes your IP (dynamic ip)?  My pfsense box was able to update my dyndns ip, but not my opendns ip.

Opendns uses dns-o-matic.com for dynamic dns updates to opendns. You can then configure dns-o-matic to update other dynamic dns providers or just define additional updaters in pfsense.

Kage_

Mohamad Idham


comprev

OpenDNS allows you to have more than one network registered with your account. You need to update the correct network. This article is old, so maybe this is a newer feature of OpenDNS. Anyway, OpenDNS help says to use the following for Hostname:

https://updates.opendns.com/nic/update?hostname=NetworkLabel

Where NetworkLabel is the name of the network in your account that you're trying to update. However, pfSense returns the error "The Hostname contains invalid characters."

Truckin

Does anyone know if this still works with the latest version of pfsense? If not, what adjustments need to be made?
Thanks,
Truckin

comprev

@truckin

Yes, pfSense will still update your OpenDNS account with your current IP address. After that, it's just a matter of setting the OpenDNS servers as your DNS servers.

Truckin

OK,
Thanks! I will start the config process now that I know these instructions still work.
Truckin

Truckin

Everything seemed to work fine with these instructions running the latest version of Pfsense. However, once I configured the firewall rules, specifically the 2nd one to block, I lost the ability to connect to the internet. Tried several different things but never could reach any website or ping it. If I left the first FW rule in place and removed the second one it works fine....so that's what I am running now. Not sure if that is the correct way to go though since the above instructions state to add both FW rules. Any advice?
Truckin

comprev

@truckin
I suspect that you blocked DNS access to pfSense. You need to set a rule that allows UDP port 53 to connect to the pfSense box from the LAN above the rule(s) to block port 53.

I just looked at my pfSense. I have OpenDNS defined in the Dynamic DNS rules. Under "Hostname" I entered the name of my network as I have defined it in OpenDNS. So, in the previous instructions, where it has the word NetworkLabel, all you need is to put NetworkLabel in the Hostname box, not the full string.

Truckin

@comprev

Ok,
I am not really sure how to do that? I just followed his instructions above. So does that mean I need to put the block rule back in like written above and also add another rule?

comprev

@truckin I just double checked the picture above. He has a permit to allow DNS to a local LAN address prior to the block statement. Be aware that these statements default to TCP but DNS uses UDP, so change the drop down that says TCP to UDP when creating or editing the rules. You can also set them to allow both TCP & UDP, if you prefer.

The rules are executed in the order they appear, so the permit must preceed the block.

Truckin

@comprev

Thanks for the follow-up. I will redo the rules again and make sure the order is correct (Maybe that was the issue). I will report back once I have this completed.
Thanks again,
Truckin