Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VLAN, lans and OpenDNS?

    DHCP and DNS
    3
    12
    1368
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro last edited by

      :(

      I have tried getting opendns to work with my configuration with little luck.

      Details about my configuration:
      1. I have LAN, AppleTV and an opt1 that is the parent to numerous VLANs
      2. I use a PIA vpn for my interface traffic(except Apple TV)

      Steps I have taken:
      1. System->General setup - OpenDNS servers entered, "Dns server override" is checked
      2. Rules for each VLAN and interface are similar to those attached
      3. In services->DHCP Server->"each interface" does not have OpenDNS IPs detailed under "DNS servers"

      I am trying to take advantage of OpenDNS phishing and malware protection…I have an account with OpenDNS however I am not necessarily looking for content filtering, I just want to use 208.67.222.222 and 208.67.220.220 for all my dns queries.

      Any one have advice? I think my answer is either in my rules, general setup or dhcp servers settings?


      1 Reply Last reply Reply Quote 0
      • awebster
        awebster last edited by

        Hi,

        The example you show has 0 bytes hitting that DNS rule, so maybe the device isn't sending packets where you expect it.
        Basic troubleshooting: what DNS servers are configured on the client devices?  Make sure that it shows the pfsense device as the DNS server.

        1 Reply Last reply Reply Quote 0
        • V
          Velcro last edited by

          Thanks awebster…

          I have attached another screen shot with updates. The dns on my device(iPad in this case) is showing the ip for the IPv4 address I created in "Interface->IOTVLAN".

          From this screenshot I can see "bytes" are hitting that rule(thanks for that quick trouble shooting tip!)

          I am able to get internet access and all is working however I am not using opendns?

          🙁


          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            pfsense out of the box would use unbound in resolver mode, so it would be resolving not forwarding.  If you want clients that ask pfsense for dns to just be forwarded to opendns then you would have to setup unbound in forwarder mode, or use the forwarder not unbound.

            Or just point your client directly to opendns via dhcp, etc.

            1 Reply Last reply Reply Quote 0
            • awebster
              awebster last edited by

              What tells you that it isn't using OpenDNS?

              The normal function is device talks to DNS service (forwarder or resolver) running on pfSense.
              If it is configured as a forwarder, it sends queries to the configured DNS servers in System->General Setup.
              If it is configured as a resolver (default), it actually resolves the DNS names by chasing down the references starting from the top, so in this instance it would not be using OpenDNS at all.

              1 Reply Last reply Reply Quote 0
              • V
                Velcro last edited by

                What tells me I am not using OpenDNS is when I go to the following web page on the OpenDNS site from my client:

                https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

                I would think using OpenDNS would be more "secure"? I think I would want to configure pfsense as a forwarder?

                Johnpoz, when you say:

                "Or just point your client directly to opendns via dhcp, etc."

                Are you referring to adding the OpenDNS IPs into the Services->DHCP Server->Interface field labeled "Server-DNS servers"?

                Thanks again to both for your response…

                1 Reply Last reply Reply Quote 0
                • awebster
                  awebster last edited by

                  Whether OpenDNS is more "secure" is open to debate, but that's not the issue here.
                  You can either use the forwarder, or as Johnpoz suggests, putting the DNS servers into the DHCP configuration so that they are given out to the clients.
                  You will need a rule to allow DNS queries out to OpenDNS if you select the later option.

                  1 Reply Last reply Reply Quote 0
                  • V
                    Velcro last edited by

                    Thanks again to all…I tried both settings.

                    I tried putting the DNS servers into the DHCP configuration, via Services->DHCP Server->Interface field labeled "Server-DNS servers". Immediately saw it was blocked....specifically the OpenDNS IPs.

                    I then changed from resolver to forwarder, I unchecked both dns server override and disable dns forwarder in DNS Server Settings under System->General. I only "enabled forwarder"(disabled dns resolver).

                    I went to the OpenDNS test and its working:
                    https://support.opendns.com/hc/en-us/articles/227986567-How-to-test-for-successful-OpenDNS-configuration-

                    Thanks again...

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      "DHCP Server->Interface field labeled "Server-DNS servers". Immediately saw it was blocked….specifically the OpenDNS IPs."

                      huh?  You do understand that if your client is going to be directly talking to opendns you would have to allow it on your firewall rules.  And 2nd you would have to make sure the client updated its lease or got a new one so it actually changed to using opendns directly.

                      1 Reply Last reply Reply Quote 0
                      • V
                        Velcro last edited by

                        I did see it blocked wasn't sure of what the rule would look like but I assume the new rule would simply be changing the "destination" to an OpenDNS alias consisting of both OpenDNS IPs, with port 53 also as destination?

                        Is it better practice to use dns resolver(putting the DNS servers into the DHCP configuration) over using dns forwarder?

                        1 Reply Last reply Reply Quote 0
                        • awebster
                          awebster last edited by

                          Yes, the rule is source=any, destination=alias of OpenDNS servers, port=53.  Make sure you specify TCP+UDP in the protocol, while UDP is primarily used for DNS, it will fall back to TCP under certain circumstances.

                          As far as better practice… pick what you're most comfortable with...

                          • DNS Forwarder = one place to control DNS behavior regardless of clients.

                          • DHCP config = requires the device's lease to renew (or device to reboot and/or reconnect) for the device to see the changes.

                          1 Reply Last reply Reply Quote 0
                          • V
                            Velcro last edited by

                            Thank you awebster and Johnpoz…you rock!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy