External DNS Query Blocking



  • I found the official guide that mentions how to enforce OpenDNS on your network rather than it being bypassed on individual computers. This link.

    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    First, I discovered the possibility on another site that was using the method at the bottom of the official guide. This link.

    https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

    My question is why are these 2 methods listed as if they can be used in conjunction? They seem to do same thing. Is one way better? Should I do both?


  • LAYER 8 Global Moderator

    There are many ways to skin a cat.. One is a block.. So if user is not using dns that is allowed its blocked user gets back no answer to their query.

    In a redirect… user thinks he is using dns 1.2.3.4 and gets redirect to where you want his dns to go..

    Neither of them need to be done.  Unless you feel there is some reason.  I do neither of those on my network because there is no point to them from my point of view.



  • I see now. Thanks. I understand how one redirect and the other blocks. This will be useful to me at times. I don't quote understand the point of using them together now. If you redirect DNS requests to pfSense, why would you block those same requests when they are getting redirected to place you want them to go?


  • LAYER 8 Global Moderator

    you wouldn't but you might redirect only specific dns for example.. And block the rest or any sort of odd combinations.

    Maybe you let IP X use only 8.8.8.8, if trying to use 1.2.2.4 redirect..  While maybe you just plain block IP Y because you don't want it to get any dns, etc. etc..

    Lots of ways to skin that cat your wanting to skin ;)


Log in to reply