VLAN, lans and OpenDNS?



  • :(

    I have tried getting opendns to work with my configuration with little luck.

    Details about my configuration:
    1. I have LAN, AppleTV and an opt1 that is the parent to numerous VLANs
    2. I use a PIA vpn for my interface traffic(except Apple TV)

    Steps I have taken:
    1. System->General setup - OpenDNS servers entered, "Dns server override" is checked
    2. Rules for each VLAN and interface are similar to those attached
    3. In services->DHCP Server->"each interface" does not have OpenDNS IPs detailed under "DNS servers"

    I am trying to take advantage of OpenDNS phishing and malware protection…I have an account with OpenDNS however I am not necessarily looking for content filtering, I just want to use 208.67.222.222 and 208.67.220.220 for all my dns queries.

    Any one have advice? I think my answer is either in my rules, general setup or dhcp servers settings?




  • Hi,

    The example you show has 0 bytes hitting that DNS rule, so maybe the device isn't sending packets where you expect it.
    Basic troubleshooting: what DNS servers are configured on the client devices?  Make sure that it shows the pfsense device as the DNS server.



  • Thanks awebster…

    I have attached another screen shot with updates. The dns on my device(iPad in this case) is showing the ip for the IPv4 address I created in "Interface->IOTVLAN".

    From this screenshot I can see "bytes" are hitting that rule(thanks for that quick trouble shooting tip!)

    I am able to get internet access and all is working however I am not using opendns?

    🙁



  • LAYER 8 Global Moderator

    pfsense out of the box would use unbound in resolver mode, so it would be resolving not forwarding.  If you want clients that ask pfsense for dns to just be forwarded to opendns then you would have to setup unbound in forwarder mode, or use the forwarder not unbound.

    Or just point your client directly to opendns via dhcp, etc.



  • What tells you that it isn't using OpenDNS?

    The normal function is device talks to DNS service (forwarder or resolver) running on pfSense.
    If it is configured as a forwarder, it sends queries to the configured DNS servers in System->General Setup.
    If it is configured as a resolver (default), it actually resolves the DNS names by chasing down the references starting from the top, so in this instance it would not be using OpenDNS at all.



  • What tells me I am not using OpenDNS is when I go to the following web page on the OpenDNS site from my client:

    https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

    I would think using OpenDNS would be more "secure"? I think I would want to configure pfsense as a forwarder?

    Johnpoz, when you say:

    "Or just point your client directly to opendns via dhcp, etc."

    Are you referring to adding the OpenDNS IPs into the Services->DHCP Server->Interface field labeled "Server-DNS servers"?

    Thanks again to both for your response…



  • Whether OpenDNS is more "secure" is open to debate, but that's not the issue here.
    You can either use the forwarder, or as Johnpoz suggests, putting the DNS servers into the DHCP configuration so that they are given out to the clients.
    You will need a rule to allow DNS queries out to OpenDNS if you select the later option.



  • Thanks again to all…I tried both settings.

    I tried putting the DNS servers into the DHCP configuration, via Services->DHCP Server->Interface field labeled "Server-DNS servers". Immediately saw it was blocked....specifically the OpenDNS IPs.

    I then changed from resolver to forwarder, I unchecked both dns server override and disable dns forwarder in DNS Server Settings under System->General. I only "enabled forwarder"(disabled dns resolver).

    I went to the OpenDNS test and its working:
    https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

    Thanks again...


  • LAYER 8 Global Moderator

    "DHCP Server->Interface field labeled "Server-DNS servers". Immediately saw it was blocked….specifically the OpenDNS IPs."

    huh?  You do understand that if your client is going to be directly talking to opendns you would have to allow it on your firewall rules.  And 2nd you would have to make sure the client updated its lease or got a new one so it actually changed to using opendns directly.



  • I did see it blocked wasn't sure of what the rule would look like but I assume the new rule would simply be changing the "destination" to an OpenDNS alias consisting of both OpenDNS IPs, with port 53 also as destination?

    Is it better practice to use dns resolver(putting the DNS servers into the DHCP configuration) over using dns forwarder?



  • Yes, the rule is source=any, destination=alias of OpenDNS servers, port=53.  Make sure you specify TCP+UDP in the protocol, while UDP is primarily used for DNS, it will fall back to TCP under certain circumstances.

    As far as better practice… pick what you're most comfortable with...

    • DNS Forwarder = one place to control DNS behavior regardless of clients.

    • DHCP config = requires the device's lease to renew (or device to reboot and/or reconnect) for the device to see the changes.



  • Thank you awebster and Johnpoz…you rock!


Log in to reply