[SOLVED] Different DNS forwarders for VLAN's
-
I have a challenge here, well for me anyways. 8)
This is my setup:
pfSense box with a 3 VLAN's.
OpenWrt wireless app 3 VLAN's.
3 wireless networks (SSID) connected to the 3 VLAN's.SSID
SSID_GUEST
SSID_ADMINOn my pfSense box I have DNS resolver active and all my clients do DNS requests with the pfSense box.
The pfSense box forwards the requests to OpenDNS. I have setup OpenDNS to do DNS filtering (p0rn, gambling, etc) for the kids.
All is working perfectly. But here is comes…I would like to have the 3rd VLAN, which the SSID_ADMIN connects to, to have a different dns forwarder.
I want my clients that connect to this VLAN to have the pfSense box as DNS server (because of internal dns resolving) but a different external forwarder (for instance google dns) so that it won't go over OpenDNS filtering.What I came up with is this:
Copy the WAN gateway (change monitoring IP), go to General Settings and put the DNS servers in there.
Set the OpenDNS server for the default gateway and put Google dns for the copied gateway.
Than do policy based routing on the admin VLAN to use the copied gateway.But from all the threads I read this won't be a good solution.
Each WAN must have a unique gateway IP. (for instance see here: https://forum.pfsense.org/index.php?topic=49841.0)Is there any way to accomplish this?
Edit:
Problem solved -
Hi Panja,
There are at least a couple of ways to accomplish this.You have the resolver in forwarding mode and have OpenDNS's servers configured in general setup.
One easy way to avoid using those for the admin VLAN is just to configure the DHCP server there to hand out, for example, 8.8.8.8 and 8.8.4.4 to the clients. They will then use Google DNS directly.An alternative is to run both DNS services on pfSense. They cannot both run on port 53 so one, probably the resolver, should be configured to run on a different port. All the normal filtered clients would connect to the forwarder and use OpenDNS. On the admin interface add a port forward to redirect incoming requests on port 53 to the port the resolver is actually listening on. If the resolver is NOT in forwarding mode it will use DNS root servers directly and not return filtered results.
Or swap that around. Run the forwarder on a different port and add port forwards on all the interfaces you want to be filtered. That has the benefit of catching DNS requests attempting to bypass your filtering by using an external server directly.
Steve
-
Hi Steve,
Thanks for your reply!
You have the resolver in forwarding mode and have OpenDNS's servers configured in general setup.
One easy way to avoid using those for the admin VLAN is just to configure the DHCP server there to hand out, for example, 8.8.8.8 and 8.8.4.4 to the clients. They will then use Google DNS directly.This is something I came up with as well. Downside is that local dns resolving is not possible because the client(s) talk directly to Google DNS servers instead of the pfSense box.
An alternative is to run both DNS services on pfSense. They cannot both run on port 53 so one, probably the resolver, should be configured to run on a different port. All the normal filtered clients would connect to the forwarder and use OpenDNS. On the admin interface add a port forward to redirect incoming requests on port 53 to the port the resolver is actually listening on. If the resolver is NOT in forwarding mode it will use DNS root servers directly and not return filtered results.
You mean running DNS Resolver and DNS Forwarder services at the same time? So actually 2 (internal) DNS servers on the pfSense box?
On my LAN, WIFI, WIFI_GUEST interfaces I already set up a port forward to only use the pfSense DNS server per this article:
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense -
Hi Panja,
Yes and yes. :)
So set the DNS forwarder to run on a another port, say 5353, then change your port forwards to point at 5353 so that filtered clients will still hit it.
Then set the DNS resolver to use resolving mode (not forwarding) on the standard port. The admin clients will hit that without any port forward on that interface. You can add DNS overrides etc in the resolver.
The only issue with doing that is if you have a large list of host overrides and you don't want to maintain a list in both DNS services. It's possible to set a domain override for whatever host you have and point one DNS service at the other one so only one list is needed but I'd avoid that if you don't need it.
Steve
-
Well you answered my next question already. ;D
I wanted to ask if I needed to maintain an host override list in both DNS services.
I don't have a big list so with a little copy/paste I'm done in a few mins. No biggie.Just make a reminder for myself if I want to add an host override in the future I have to do it on both DNS services.
Thanks again!
-
Hi Steve!
Just wanted to let you know I implemented the double DNS service per your advise.
DNS forwarder on port 53.
DNS resolver on port 1053. Unticked the box "Enable Forwarding Mode".On my (normal) LAN, WIFI and WIFI_GUEST networks I have setup NAT rules to only allow DNS traffic to my pfSense box.
All other (for instance 8.8.8.8 ) will forward to the pfSense box.
This way no one connected to those network cannot use any other DNS service besides the pfSense box.On my LAN_ADMIN and WIFI_ADMIN networks I have set a NAT rule for all DNS traffic (port 53) to my pfSense box to translate that in to port 1053.
Works as advertised!
LAN, WIFI and WIFI_GUEST are restricted with OpenDNS web filtering.
LAN_ADMIN and WIFI_ADMIN are using the DNS resolver and are free to go anywhere.
8)Thanks again!
[EDIT]
Changed protected to restricted. :) -
Nice. :)
-
You could also just replace the word "protected" with "restricted" to be more accurate..
-
Done! 8)
-
Hi,
Can you please post a screenshop of your NAT rules and setup page for forwarder and resolver,
thanks,
molykuleHi Steve!
Just wanted to let you know I implemented the double DNS service per your advise.
DNS forwarder on port 53.
DNS resolver on port 1053. Unticked the box "Enable Forwarding Mode".On my (normal) LAN, WIFI and WIFI_GUEST networks I have setup NAT rules to only allow DNS traffic to my pfSense box.
All other (for instance 8.8.8.8 ) will forward to the pfSense box.
This way no one connected to those network cannot use any other DNS service besides the pfSense box.On my LAN_ADMIN and WIFI_ADMIN networks I have set a NAT rule for all DNS traffic (port 53) to my pfSense box to translate that in to port 1053.
Works as advertised!
LAN, WIFI and WIFI_GUEST are restricted with OpenDNS web filtering.
LAN_ADMIN and WIFI_ADMIN are using the DNS resolver and are free to go anywhere.
8)Thanks again!
[EDIT]
Changed protected to restricted. :) -
Have you attempted this and it didn't work as expected?
Steve
-
Hi Steve,
Many thanks for prompt reply. I am not very good with dns setup. I have the Unbound working on LAN, OPT1 and OPT2. I am lost at the NAT setting on forwarder and the setup page on forwarder, as to which settings to choose.
I want to use DMZ on DNS forwarder. So i have to choose DMZ and DMZ IPv6 Link-Local in interfaces and choose under DNS Query Forwarding - Do not forward private reverse lookups
Add port 5353 under port number, and then port forward 5353 on dmz interface to port 53 for dmz interface.
Is this all correct. I have pasted screenshot of my NAT rules. I have a feeling is wrong. Is there any additional rule on NAT or port-forward i have to add.thank you very much for helping me,
molykule
 -
Hi,
Can somebody who has done please help me out,
thanks,
molykule -
" which the SSID_ADMIN connects to, to have a different dns forwarder."
What exactly are you wanting??? Your devices that you want to resolve your local stuff should point to pfsense or some local dns. Devices like guest that you don't want to resolve your local stuff.. Just hand them a public dns.. Your thinking about this too more, or not at all if you look at it another way ;)
There is zero reason to use a gateway for dns, etc. Your devices on our network that need to resolve your local stuff can just ask pfsense - be it using a forwarder or the default resolver so you can resolve your local stuff. Guests or devices you don't want or need to resolve stuff - just let them use some public dns like google or open or your isp, etc. Just hand them those via dhcp if you want to be nice, etc.
-
Hi John,
I have 2 dual NIC which gives me LAN, OPT1, OPT2 and DMZ. I am using Unbound and pfblockerng with host override for safe youtube and safe google.
The problem comes when i want to play youtube, it filters that out assuming it as an adult content.
I want to have DMZ free to go anywhere. Therefore i was trying to remove it from Unbound and move it to forwarder.
As, I understand, you are saying that i can remove the DMZ interface from unbound and then in its dhcp server configuration page setup 8.8.8.8 or any other dns setting for it.
Is it correct or i am still worng,
Many thanks for taking time and helping me out,
molykule -
You are correct.. does your dmz need to resolve anything local? Would seem unlikely to me that a dmz would need to resolve internal stuff. Since normally your dmz would be restricted from talking to stuff on your other networks anyway - this is what makes it a dmz ;)
So yeah if you want to surf porn on this site and pfblocker is blocking you - then just let the dmz use google or open or your isp or any other public dns out there 4.2.2.2 for example.. Either set that on machine directly or hand that out via dhcp to the box in your "dmz"
-
Last come back here but yeah it sounds like you can just hand external DNS servers to DMZ clients if they only need to resolve unfiltered external hosts.
No need to bother with dual DNS on the firewall etc.
Steve
