Best configuration option for forced OpenDNS and ability to create override clients



  • There seems to be more than one way to skin this cat, so I'm wondering if maybe there's a better/best way to do it.

    Essentially, what I want to do is: Ensure that all DHCP clients receive the OpenDNS addresses (for filtering) and then block request if they happen to manually enter a non-OpenDNS server. Then....I want to be able to create/update (ideally) an alias list of client addresses that ARE allowed to reach non-OpenDNS servers.

    Thoughts?


  • Rebel Alliance Global Moderator

    Just create a allow rule above your any any lan rule that uses your alias as source that allows dest tcp/udp 53

    Then below that create block rule to tcp/udp 53, then below that would be your any any rule.



  • @johnpoz

    On the second rule, the block rule to tcp/udp port 53...wouldn't that then prevent all the others from accessing DNS completely then? Wouldn't this second block rule instead be something that restricts those non-privileged users to only using the address of pfsense for DNS? Or....is this somehow maybe understood automatically that it would allow this?


  • Rebel Alliance Global Moderator

    you are correct sir - my bad, you need allow rule to the opendns IPs above your block that is allowed by any.. Good catch and my bad..