Deny users who will manualy bypass dns provided by dhcp



  • hello

    i have 2 groups of users…one of the group does have minimum access to the internet (restricted)

    my question is...once the end user changed his DNS, then restrictions are all gone.

    is there any way pfsense can deny end users having network parameters ipaddress/dns (done manualy) which is not provided by pfsense dhcp server



  • You can set up firewall rules on the LAN interface that block DNS queries not destined for your pfSense box, and you can also set up NAT rules that will redirect DNS queries to external servers to your pfSense box instead.

    See the Wiki article below for setting up NAT to redirect all DNS queries to pfSense. In that article towards the end is a link to another article on blocking DNS queries to external servers.

    Redirecting all DNS Requests to pfSense

    Note that the NAT redirection will only affect IPv4 use, so having an IPv4/IPv6 firewall rule to block external DNS servers would be recommended if you are using IPv6 on your network.



  • I don't understand what could be the link between DNS and controlled access to internet especially if then, need is expressed in term of "user".
    What I mean to say is that:

    • if you want to control access "per user", then the only reliable way is to authenticate
    • controlling access to internet must be done at protocol level

    e.g. if you want to control access to web then the right solution is proxy.

    Captive portal can be used to prompt for authentication then open FW rules.

    But thinking that dealing with DNS may provide similar feature is, at least to me, a wrong approach.



  • @virgiliomi
    so this essentially means creating rule for restricted users to allow only dns pointing just to the firewall….simple....many thanks



  • @ozlecz:

    so this essentially means creating rule for restricted users to allow only dns pointing just to the firewall….simple....many thanks

    Simple but ineffective.

    Let me explain why.

    -> "rule for restricted user to allow only DNS pointing to firewall"

    1 -  ???  such rule can't describe "user". Best case it will describe source IP. If restricted user is able to change its DNS configuration, he will easily change its own IP too and become… "unrestricted user"

    2 - such rule should apply to all, meaning DNS requests pointing to outside should be denied for all. I don't see the point with pfSense allowing external DNS requests when DNS resolver module exists.

    3 - Dealing with DNS doesn't prevent user to type IP address, in URL for instance  :-X

    4 - Still looking at HTTP, this '"DNS based access control" doesn't prevent user to configure explicit proxy (using IP address in proxy field) : with such setting, you even don't need DNS any more  ;D

    IMHO  8)



  • sir

    1 -  ???  such rule can't describe "user". Best case it will describe source IP. If restricted user is able to change its DNS configuration, he will easily change its own IP too and become… "unrestricted user"

    unrestricted users are mac-ip binded..rest of the IPs are included in restricted

    2 - such rule should apply to all, meaning DNS requests pointing to outside should be denied for all. I don't see the point with pfSense allowing external DNS requests when DNS resolver module exists.

    unrestricted users in my case uses external dns which are defined under mac-ip binding...pfsense dns resolver in here are only for restricted users

    4 - Still looking at HTTP, this '"DNS based access control" doesn't prevent user to configure explicit proxy (using IP address in proxy field) : with such setting, you even don't need DNS any more  ;D

    more of a rule based because restricted users are only allowed to say 100 ASN numbers which are defined at pfblocker whois. only few are defined in dns resolver...just an exclussion from the ASNs



  • The only thing DNS does is convert names into IP addresses. They only thing the firewall sees is IP addresses and ports. Using IP addresses and port numbers, how would you describe the issue?



  • Ok, so I'll admit that I glossed over the detail of restricted/unrestricted users…

    The best way to do this would be to have two separate networks/subnets... restricted users on one network, unrestricted on the other. That way a restricted user could attempt to change their IP address, but all IP addresses on that subnet would be redirected through pfSense and/or have external servers blocked, while unrestricted users on a separate network would not have those limitations on DNS.

    The downside to this is that you need to change physical network connections to change between restricted and unrestricted access, or you could go with VLANs and change the VLAN on the switch port.

    If you tried to do this with one network/subnet, it would only take someone finding the right IP address(es) to get around the DNS restrictions, unless the users don't have administrative control of the computer in order to keep from changing network settings.



  • 1-20-unrestricted alias (all use up)
    21-253-restricted alias
    254-lan interface

    he can only be at restricted…



  • If you're convinced this is the right approach and are sure that MAC address based IP can't be changed, then you're right, do it this way  ;)

    Still this is not filtering for users but IP or workstations at best if MAC address couldn't be changed and spoofed  8)


  • LAYER 8 Global Moderator

    So if this user can change their dns, what stops them as mentioned from just using a proxy or for that matter if you want let them do dns other than your limited restricted version, what stops them from using host names?

    Seems these so called "restricted" users are using their own hardware or have too many rights on them already if they can alter what dns they point to.

    Not sure how such a user would be considered restricted?  Use of dns like opendns or such that can be used to filter what a user looks up is fine.  But not really a way of actually restricting users access.  Can help them not hit malware sites and such for their own good.  But not really a good way of preventing them from going to sites "you" do not want them to go to for some reason?

    If you need such control then you should use a proxy, and only allow the proxy out.  Not individual machines.


Log in to reply