Multiple DHCP scopes / DNS Servers with local domain lookup

  • I've had pfsense on my home network running well for the last year or so. All systems receive an IP address from the single default DHCP range which also sets the DNS server to point to the pfsense DNS Resolver. I've got young kids that are starting to use computers and I'd like to sanitize the internet using OpenDNS for their systems. I've created a second DHCP pool and configured that to use OpenDNS DNS servers and using allow / deny I can get systems to pickup the correct DNS servers. The one thing I'm not able to get working however is DNS for the local network so that the home computers can still talk to each other once they have OpenDNS DNS servers listed instead of the DNS Resolver. If I add the pfsense address to the list of DNS servers then the OpenDNS servers don't get used and Internet isn't sanitized.

    Is this possible and I'm just missing some setting / logic, or do I need to go about this some other way?


  • LAYER 8 Global Moderator

    You need to go about it a different way.

    Why are you using different pools?  Just setup a reservation for your kids to always get same IP for starters - much easier than setting allow/deny in your pools.

    If you want your kids to be able to do local dns what I would do is setup a view and set that view to forward.. something like this

    view "internet" {
        match-clients { kids; };
        recursion no;
        forwarders {
  ; opendns
  ; opendns

    While unbound does support views, not sure if you can setup forwarders directly in the view.. Would have to do a bit of research - should be able to do it???  But Bind for sure can do it.

    Other option without using views in either unbound or bind would be to let your kids use forwarder on a different port via port forward for their IP dns queries to the port dnsmasq is listing on.. say 5300, now queries from kids get forwarded to forwarder that forwards to opendns… While normal queries to 53 go to unbound and get resolved.  Both would be able to resolve any local stuff you setup in your host overrides..

    Views is much cleaner.  Other option just run a different dns on your network that has a forwarder rule for the domain your using to forward to pfsense, anything gets forwarded to opendns, etc.. Point your kids to that dns - lots of ways to skin this cat - yours just not one of them.

    edit:  Doesn't seem like you can put forward options under a view you create in unbound?  So if you wanted to go the view route you would have to install the bind package and use it vs unbound.. It supports dnssec and views.. And can be full authoritative, etc.

  • Thanks johnpoz for the detailed response and doubly so for taking the time to test.

    I didn't realise quite how out of my depth I was with this; thought it would would be relatively simple. I don't really want to run a second DNS server if I can avoid it and I'm a bit concerned Bind might not be as easy to configure as I've found the forwarder (with built in wizards) until I have a lot of time to play and learn.

    What I'd hoped would be possible was to configure the pfsense forwarder to hold the local network records and everything else to pass to the next DNS server on the list. Even if that was possible I guess that would mean all DNS requests would have to go to Internet rather than being cached locally so maybe that's not a great idea either.

    Thanks again for the suggestions, I'll need to consider my options I think.

Log in to reply