Can DHCP provide different DNS Server List to Specific LAN IPs

  • I can't find any settings for the DNS Forwarder or DNS Server which look like they could be used to do what I need. I have a second gateway configured for my paid VPN, and a firewall rule which routes all traffic from any LAN PCs which are in a specific alias list through the VPN instead of the default gateway. This works fairly well but I just realized that the way I have things set up I am leaking all my DNS requests through the same DNS servers the main gateway is using.

    The problem is that some of the devices I'm routing through my VPN via pfSense (such as my smartphone) don't allow me to manually specify DNS servers on WiFi… the servers to use must come from DHCP. This means that even if I add the IP of my phone to the alias list, DNS lookups will always be via the pfSense DNS forwarder (and thus the open DNS servers) rather than the secure ones provided by the VPN. What I would really like is to be able to configure the pfSense DHCP server to provide a different DNS server list to clients if they are in that alias list which is routed through the VPN.

    If I haven't confused the hell out of everyone, does anyone know if there is any way to do something like this? Perhaps by grabbing port 53 requests and forcing them to a different IP?

  • There isn't a specific way to set per-client overrides on the DHCP options.  Windows DHCP server allows you to do this though.
    One possible alternative would be some NAT rules to make your client's DNS requests go to a different DNS Server (ie the one on the VPN tunnel), irrespective of what DNS server they are "trying" to talk to.

    Set this NAT on the LAN interface: SRC=client IP SRC port=ANY  DST=ANY DST port=53 NAT IP=VPN-DNS-server NAT Port=53

    That way any DNS request from client IP regardless of where it is being sent will get sent to VPN-DNS-server.

  • Yes there is a way and it's all in the GUI as well. You can edit the single address static leases to use different settings for DNS and other things. Then there is the "additional pools" options that allow you to define groups of addresses that use different DHCP settings.

  • Kpa, you're right.  My memory must have been stuck on an older version that didn't support it.
    Nevertheless, the solution I presented also takes into account devices and applications that make DNS requests to hard-coded DNS servers, irrespective of the DHCP option values, thus "leaking" information outside the VPN tunnel.  It is also a great way to make DNS work even if someone has statically configured their DNS servers.  MACs have been known to now properly update DNS settings when moving from one WLAN to another.

Log in to reply