Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can DHCP provide different DNS Server List to Specific LAN IPs

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Slartibartfast
      last edited by

      I can't find any settings for the DNS Forwarder or DNS Server which look like they could be used to do what I need. I have a second gateway configured for my paid VPN, and a firewall rule which routes all traffic from any LAN PCs which are in a specific alias list through the VPN instead of the default gateway. This works fairly well but I just realized that the way I have things set up I am leaking all my DNS requests through the same DNS servers the main gateway is using.

      The problem is that some of the devices I'm routing through my VPN via pfSense (such as my smartphone) don't allow me to manually specify DNS servers on WiFi… the servers to use must come from DHCP. This means that even if I add the IP of my phone to the alias list, DNS lookups will always be via the pfSense DNS forwarder (and thus the open DNS servers) rather than the secure ones provided by the VPN. What I would really like is to be able to configure the pfSense DHCP server to provide a different DNS server list to clients if they are in that alias list which is routed through the VPN.

      If I haven't confused the hell out of everyone, does anyone know if there is any way to do something like this? Perhaps by grabbing port 53 requests and forcing them to a different IP?

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        There isn't a specific way to set per-client overrides on the DHCP options.  Windows DHCP server allows you to do this though.
        One possible alternative would be some NAT rules to make your client's DNS requests go to a different DNS Server (ie the one on the VPN tunnel), irrespective of what DNS server they are "trying" to talk to.

        Set this NAT on the LAN interface: SRC=client IP SRC port=ANY  DST=ANY DST port=53 NAT IP=VPN-DNS-server NAT Port=53

        That way any DNS request from client IP regardless of where it is being sent will get sent to VPN-DNS-server.

        –A.

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          Yes there is a way and it's all in the GUI as well. You can edit the single address static leases to use different settings for DNS and other things. Then there is the "additional pools" options that allow you to define groups of addresses that use different DHCP settings.

          1 Reply Last reply Reply Quote 1
          • awebsterA
            awebster
            last edited by

            Kpa, you're right.  My memory must have been stuck on an older version that didn't support it.
            Nevertheless, the solution I presented also takes into account devices and applications that make DNS requests to hard-coded DNS servers, irrespective of the DHCP option values, thus "leaking" information outside the VPN tunnel.  It is also a great way to make DNS work even if someone has statically configured their DNS servers.  MACs have been known to now properly update DNS settings when moving from one WLAN to another.

            –A.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.