Split DNS only for single VLAN

trumee

Hello,

I have a LAN, DMZ and GUEST vlan. The DMZ hosts some nginx servers which are accessible from the Internet. There are some split DNS host overrides defined allow LAN users to easily access these DMZ services.

I have a rule where the GUEST vlan is not allowed to talk with the DMZ vlan using the RFC1918 address. However, I do want the GUEST vlan users to access the services which have port forwarded and exposed to the Internet.

I guess one solution could be to define split DNS only for LAN vlan. Is there any recommended way to solve this issue?

Thanks

johnpoz

I you have services open to the internet, in your "dmz" Why would you want to block guest - is that not safer even then the internet?

I am not understanding the use case here?

You have services open to the public = "internet" Why would you block same said services from your lan or guest?

trumee

@johnpoz I dont have everything in DMZ exposed to the internet. I could collect all the exposed services in DMZ, and then create a rule allowing traffic on these from Guest. However, it is more work since i will need to update this list each time a new service is added in the DMZ vlan.

johnpoz

So these are not hosted under your proxy?

If these are on different IPs in the dmz, or different ports. Just don't open those from your guest?

Could you give example of something say you have open, and then something you don't want open from guest?

A typical configuration of "guest" wouldn't even be allowed to use your dns.. So would point to something like googledns.. So they wouldn't even be able to resolve anything you running locally.

trumee

@johnpoz said in Split DNS only for single VLAN:

So would point to something like googledns.. So they wouldn't even be able to resolve anything you running locally

This is interesting, and may be what i should use. So, guest devices will need to come-in via WAN side to access DMZ. I think this, is what i am looking for.

I am using nginx proxy for most services. However, there are others like jabber which need their own ports.

trumee

@trumee said in Split DNS only for single VLAN:

So would point to something like googledns.. So they wouldn't even be able to resolve anything you running locally

I tried this option. Unfortunately, the port 443 on which the nginx proxy listens is not reachable by the client.

johnpoz

Huh.. Thoughts that what you want..

Please explain what you want..

Here is the thing.. Proxy listening on 443, serving up sites A, B, C - how are you going to block those at pfsense?

You could block resolving at the client via a view set on unbound. But they will all resolve to the same IP.. And go to the same port. So not possible with a firewall rule to say client in X vlan can go to site A, and B but not C..

You would have to block in the proxy.

trumee

@johnpoz Port 443 is forwarded to internal NGINX proxy setting in DMZ vlan. From GUEST vlan, i did a 'telnet wanip 443', and the port was not reachable.