Different DNS Forwards for each VLAN + Internal DNS



  • Hello,

    I have a configuration challenge I’m trying to sort through and would appreciate any help!

    I have three networks:

    VLAN 10 - 192.168.1.0 - Students
    VLAN 20 -192.168.2.0 - Teachers
    VLAN 30 - 192.168.3.0 - Guests

    We use a hosted content filtering solution and the rule sets are available to us on various public DNS IP’s. In our case, here is an example of the DNS servers I need each VLAN to use:

    VLAN 10 -> 1.1.1.1
    VLAN 20 -> 2.2.2.2
    VLAN 30 -> 3.3.3.3

    For VLAN 30, this is easy because I can simply add 3.3.3.3 into the DHCP scope and I’m off and running.

    However, for VLAN 10 and 20, we have internal services that I need accessible by name. So, my question is, how do I configure pfSense to have an internal DNS database that can perform local lookups and then forward queries to a specific public DNS server based on VLAN/interface?

    Thank you in advance!
    Jason



  • While I don't know about using different resolvers per-subnet, you can use the built-in resolver's host or domain overrides to return your chosen values for specific requests.
    My understanding is that the pfSense built-in resolver is going to use the same underlying DNS servers for all name resolution, however, as you put it, you can always override what DNS servers are used in the DHCP configuration.
    In your specific instance, if you use 3.3.3.3 for VLAN 30, and the router_IP_of_pfSense for VLAN 10 and 20, pfSense can then be pointed to your public facing content filtering DNS servers and you can respond to requests for internal DNS resources as well.

    See: https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html


  • LAYER 8 Global Moderator

    @JasonHarper said in Different DNS Forwards for each VLAN + Internal DNS:

    internal DNS database that can perform local lookups and then forward queries to a specific public DNS server based on VLAN/interface?

    You do understand you now have a common cache.. So if teachers go to something that teachersallowed.com it will then be cached... Then student tries to go to there and since cached they will look it up from cache..

    You can not do what your asking to do when you have local cache that is shared.. You would need to 3 different NS locally so that your caches different, these 3 can do a delegated forward to your local dns running on pfsense for local resources.

    Sure you could setup a view and vlanX gets forwarded here, and then vlanY gets sent there.. But your problem is going to be the common cache.


Log in to reply