DHCP supplied DNS question
-
I am currently using: 2.3.2-RELEASE-p1
I am finding setting a different DNS server based on a reserved IP address is not working properly.
It appears as though DHCP is assigning the custom DNS to the windows 10 PC however when I try to visit a normally blocked web page is still blocks using the old DNS server.
What I am trying to do is this. I am currently using OpenDNS for all the traffic on the network. However, I want to be able to bypass this on a couple PCs on the network. So far I have not been able to accomplish this using DHCP. I have setup static mapping for the specific PC and entered an alternative DNS into this configuration. DHCP is assigning the correct NEW DNS however the page is still being blocked by the DEFAULT DNS setup on pfsense.
I have never setup the router to force all DNS to go through the default DNS. I have tried numerous setting changes with no luck.
Am I missing something? Why would it by default be forcing all the DHCP DNS traffic through the DEFAULT DNS?
Please advise. Thanks.
-
so you say you change your dhcp to hand out what you want.. Did you verify the client changed?
Simple enough to renew the lease on the windows 10 machine, and then look to what its pointing to..
Post up your ipconfig /all on your win10 machine - you sure its not using ipv6 for dns and your changing its ipv4.. It would want to use ipv6 by default.
Simple nslookup from cmd line will tell you what dns its trying to use..
-
so you say you change your dhcp to hand out what you want.. Did you verify the client changed?
Simple enough to renew the lease on the windows 10 machine, and then look to what its pointing to..
Post up your ipconfig /all on your win10 machine - you sure its not using ipv6 for dns and your changing its ipv4.. It would want to use ipv6 by default.
I verified by ipconfig /all and yes I was able to get it to change the DNS there. I have ipv6 disabled on the computer I am testing.
I will try nslookup shortly.
-
Simple nslookup from cmd line will tell you what dns its trying to use..
According to nslookup it says I am using the correct DNS server. Here is what nslookup shows:
C:\WINDOWS\system32>nslookup google.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8Non-authoritative answer:
Name: google.com
Addresses: 2607:f8b0:400f:803::200e
216.58.217.46The problem is when I visit a website where my main DNS will block it and the new DNS won't it still blocks it showing the error from the OpenDNS servers.
-
No idea what's this "main DNS" and "new DNS".
1/ DNS records have TTL.
2/ The clients have a DNS cache.
3/ The browsers have their own DNS cache as well. -
^ exactly.. If your client is using google as you show, then that is what it will use. Did you flush its local cache? Keep in mind if your browser is using a proxy.. Proxy is the one that looks stuff up, not the client..
When you run proxy.. Client asks proxy hey I want www.domain.tld, the proxy is the device that does the dns query for the IP of www.domain.tld, not the client. So doesn't matter what dns your client is set for if your using a proxy with the browser..
-
DNS Forwarder by default is running. I turned it off and turned on DNS Resolver. If I do not do this I get zero DNS.
I am perfectly aware of how the cache works and flushed/cleared it before each test.
Ultimately after dinking around with it I believe I did get it working.
Now the problem comes from the use of OpenDNS and Rawstream DNS. They are suppose to be detecting what IP the DNS request is coming from then applying my rules to the DNS requests. In cases where I block a site it redirects to an error page.
After getting the issue resolved on pfsense now neither OpenDNS or Rawstream DNS is seeing my requests from my WAN IP. That baffles me at the moment.
I ran out of time today to test any further.
What I am trying to accomplish is having just a few clients use different DNS filtering than the rest of the network. I am doing this for my 8 year old as I do not want him accessing much of anything on the internet while leaving the rest of the users alone.
This is my business network. I am using offical pfsense hardware purchased from electric sheep fencing.
I am certain this could be doable but am really at a loss as to how I would proceed at this point.
Obviously with DNS Forwarder everything is forced through 127.0.0.1 on the pfsense device. I really don't see how to get around that. I'm sure there is a very good reason for this as it keeps people from bypassing internal DNS settings. Normally I would want to operate this way.
I'm just trying to do something a little different.
If anyone has tried this I would love to learn how it was done.
-
Actually, there's no problem with adapting this howto to OpenDNS or whatever: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
1/ Use an alias with subnet or IPs of clients you want to force somewhere as source
2/ Use another alias with OpenDNS IPs as NOT destination and redirect IP (or redirect to localhost dnsmasq and it will forward those to OpenDNS). -
DNS Forwarder by default is running. I turned it off and turned on DNS Resolver. If I do not do this I get zero DNS.
…
now neither OpenDNS or Rawstream DNS is seeing my requests from my WAN IP. That baffles me at the moment.Really?
DNS Forwarder ask OpenDNS or whatever DNS servers you use for name resolution.
DNS Resolver, however, queries down the tree which DNS server is responsible for your request and asks there directly. May I suggest you read a bit about DNS resolver and its differences to a forwarder?! -
Personally, if you have one 8yo and only want to restrict this cutie's access to the world, then
a) segment your network! Get the 8yo's host off of your business network.
I have yet to see a kid (or grandpa) that doesn't fetch a virus. And spreading that in your business lan might be catastrophic…
b) use DNS Resolver for everything but the kid.
c) have DHCP push OpenDNS Server to 8yo's PC or configure that one statically.
Even easier when this PC is hanging on a different segment. -
"DNS Forwarder by default is running."
No it isn't, not unless your using a OLD version of pfsense… Resolver became the default quite a few versions back..
"Obviously with DNS Forwarder everything is forced through 127.0.0.1 on the pfsense device"
What??? Again no!!
Here is what I would suggest.. If you want to force a device to use some outside dns service that block content for you that is great.. All for it - but please have some basic understanding of how dns actually works before attempting to use such a service. Sorry but pfsense pointing to itself for dns, does not force any of your clients to use pfsense for dns.. Be it its using the forwarder or the resolver.
If your client is using X for dns, then out of the box pfsense would have ZERO to do with that.. Be it its using the forwarder or the resolver or they are just off all together. Yes pfsense out of the box with dhcp turned on will hand out in dhcp to use its IP address the dhcp server is running on for dns if the forwarder or the resolver is enabled. If they are not then it will hand out what is in general setting or what it got from the ISP via dhcp, etc..
If you point your client to 8.8.8.8 for dns - then that is what is will use! period!!! And pfsense out of the box will not have anything to do with that.. The default lan rules are any any and your client can talk to 8.8.8.8 or any other public dns all it wants..
If what your saying is your pointing to a client to a dns service and its not filtering how you want it to filter - then that is either your not actually asking them, or they are not filtering it how you think they should.. But that has zero to do with pfsense using a forwarder or a resolver or what pfsense points to for its own dns..
-
"DNS Forwarder by default is running."
No it isn't, not unless your using a OLD version of pfsense… Resolver became the default quite a few versions back..
"Obviously with DNS Forwarder everything is forced through 127.0.0.1 on the pfsense device"
What??? Again no!!
When I first acquired this hardware it did have an older version loaded onto it. I have not changed the default DNS settings until I started performing this configuration. So if you are saying Resolver is the new default this would make sense.
I really haven't stretched the legs on this hardware.
I thought I read somewhere when researching this yesterday that DNS Forwarder was pointing traffic initially to 127.0.0.1. You are saying this isn't so. I believe you. I will need to do some more research on this subject.
Here is what I would suggest.. If you want to force a device to use some outside dns service that block content for you that is great.. All for it - but please have some basic understanding of how dns actually works before attempting to use such a service. Sorry but pfsense pointing to itself for dns, does not force any of your clients to use pfsense for dns.. Be it its using the forwarder or the resolver.
I believed this to be true initially. However I was trying to say that it 'seemed' to be forcing clients to use pfsense for dns. After my results yesterday it appeared to be working. The issue that popped up was not a pfsense issue (I don't believe), it may be an issue with OpenDNS and Rawstream DNS. More than likely it is my configuration and that is what I will tackle first.
If your client is using X for dns, then out of the box pfsense would have ZERO to do with that.. Be it its using the forwarder or the resolver or they are just off all together. Yes pfsense out of the box with dhcp turned on will hand out in dhcp to use its IP address the dhcp server is running on for dns if the forwarder or the resolver is enabled. If they are not then it will hand out what is in general setting or what it got from the ISP via dhcp, etc..
If you point your client to 8.8.8.8 for dns - then that is what is will use! period!!! And pfsense out of the box will not have anything to do with that.. The default lan rules are any any and your client can talk to 8.8.8.8 or any other public dns all it wants..
I will be starting from scratch later today. I plan to perform simple tests on the client without changing any pfsense settings. If I can get it to work then I will know for sure it is a problem with my configuration and not any strange hardware behavior.
If what your saying is your pointing to a client to a dns service and its not filtering how you want it to filter - then that is either your not actually asking them, or they are not filtering it how you think they should.. But that has zero to do with pfsense using a forwarder or a resolver or what pfsense points to for its own dns..
Agreed.
Thank you for the help.
I will also be doing more reading on the differences between DNS Resolver and DNS Forwarder.
-
Actually, there's no problem with adapting this howto to OpenDNS or whatever: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
1/ Use an alias with subnet or IPs of clients you want to force somewhere as source
2/ Use another alias with OpenDNS IPs as NOT destination and redirect IP (or redirect to localhost dnsmasq and it will forward those to OpenDNS).I did run across this yesterday. I had thought that I could accomplish my task by simply using DHCP to reserve an IP for the devices in question, then apply alternate DNS to the clients using DHCP.
Your idea would work also. I may give this another look later today.
Thank you.
-
DNS Forwarder by default is running. I turned it off and turned on DNS Resolver. If I do not do this I get zero DNS.
…
now neither OpenDNS or Rawstream DNS is seeing my requests from my WAN IP. That baffles me at the moment.Really?
DNS Forwarder ask OpenDNS or whatever DNS servers you use for name resolution.
DNS Resolver, however, queries down the tree which DNS server is responsible for your request and asks there directly. May I suggest you read a bit about DNS resolver and its differences to a forwarder?!I plan to do exactly that. Thank you.
-
Personally, if you have one 8yo and only want to restrict this cutie's access to the world, then
a) segment your network! Get the 8yo's host off of your business network.
I have yet to see a kid (or grandpa) that doesn't fetch a virus. And spreading that in your business lan might be catastrophic…
b) use DNS Resolver for everything but the kid.
c) have DHCP push OpenDNS Server to 8yo's PC or configure that one statically.
Even easier when this PC is hanging on a different segment.I did think about doing it that way. I was trying to do a simple and quick method. As I stated in another reply I am having DHCP reserve an IP for the devices, then applying an alternative DNS to them. After doing this is when things seemed to be going haywire.
Thank you for the suggestion.
-
BTW, this is the exact issue I am having: https://forum.pfsense.org/index.php?topic=99790.0
The only difference is I am trying to use 2 services that work the same way. 1) OpenDNS and 2) Rawstream DNS.
-
I agree you seem to have the same issue from 2015 that user was having, lack of understanding the difference between a forwarder or resolver and how pfsense has ZERO to do with anything if you point your client to some outside dns..
I can tell you for fact that using resolver in forwarder mode or forwarder pointing to opendns work.. and queries are forwarded to opendns. If they do not filter how you like then that is on them..
Here I set pfsense dns to opendns, set my resolver to forwarder mode - did a sniff on my wan. Then did a query for something - and you can clearly see pfsense forwards that query to the opendns servers..
If you want a client to use a different dns then really that has zero to do with what pfsense is doing.
-
If you want a client to use a different dns then really that has zero to do with what pfsense is doing.
I agree with that. And I was able to get the client to use a different DNS server. That all works as it should.
The issue comes when for instance I request a site that is suppose to be blocked/blacklisted it doesn't black list it. It goes to it without the filtering. This is because OpenDNS and RAWstream DNS detect what IP the DNS request is coming from. Then if an account associated with that IP is on their server they apply that accounts filter. (I probably shouldn't say they don't see my IP. I just don't know how else to explain it)
What I have experienced is that OpenDNS and RAWstream DNS is not detecting my IP and therefore applying zero filtering. I don't understand why neither OpenDNS or RAWstream DNS cannot see/link my IP to the request when I have the alternate configuration setup.
To me that is what doesn't make sense. Everything else you explained as to how pfsense works makes total sense.
This is above my pay grade. So to clarify I can assign as many different DNS servers to as many different clients I want, have the requests go through and websites are reached no problem. It is only when I visit pages that are suppose to be blocked through either OpenDNS or RAWstream DNS that it doesn't block anything and that can only mean that they are not for some reason applying my filters when the requests are made. This is what is confusing and what I cannot figure out at this point.
