Pfsense DNS specific to VLAN

narsaw

On my network, my (Domain Controller, DC) does local DNS (stuff on my LAN), when a DNS request come in for an external resource (a site on the internet) my DC forwards the request to my pfsense router which is also acts as my DHCP server.

In my pfsense router DNS server(s) are listed as 127.0.0.1, 1.1.1.1. This works great but now I have setup a Vlan for my kids (Vlan10) and want them to use some content filtering DNS (blocking malware, etc). Cloudflare and OpenDNS provides this service.

In pfsense under Services->DHCP Server->Vlan10->DNS servers I have 1.1.1.3 (1.1.1.3 filters malware, etc)

Currently this is what happens with DNS on my network for external sites:

KidsPCVlan10->DC->Pfsense-> 1.1.1.1 (general dns)

What I want:

KidsPCVlan10->DC->Pfsense-> 1.1.1.3 (dns specific to vlan)

How can I force VLAN10 subset to DNS servers specific to that VLAN when the request is coming from my DC

dma_pf

@narsaw said in Pfsense DNS specific to VLAN:

KidsPCVlan10->DC->Pfsense-> 1.1.1.3 (dns specific to vlan)

Why do you need to route your kids to your domain controller? Are they actually needing to access domain resources?

Typically, you would only point domain clients to the domain controller in order for the domain controller to provide DNS for the domain resources. You would do this by assigning a static IP in pfsense's DHCP server for that machine.

So for example in my network, my workstation resides in my LAN and it is a member of the domain. In the pfsense LAN DHCP I assign the workstation a static IP address of 192.168.163.8 and set the DNS server as my Domain Controller at 192.168.163.10. The domain controller gets all the DNS requests from the workstation and will provide responses for other domain resources. If the DNS request is for something outside of the domain then the domain controller has a forwarding rule set up in its DNS that sends the request back to pfsense to resolve.

Anything that is not a member of the domain has it's DNS pointed directly to pfsense in its DHCP server settings. There is no reason to point them to the domain controller.

What I want:
KidsPCVlan10->DC->Pfsense-> 1.1.1.3 (dns specific to vlan)

This implies that you are sending DNS to your domain controller. If that is the case, then the domain controller is sending it to pfsense which is then routing it out. Pfsense will the send it out to the 13 root servers if using Resolver in unbound mode or to the DNS servers you designate if using resolver in forwarding mode. If this is the case you're not going to be able to specify that the kid's network go out pfsense to a particular DNS Server. The only way you'll be able to do that is like this:

KidsPCVlan10->Pfsense-> 1.1.1.3 (dns specific to vlan)

Which you would accomplish by setting 1.1.1.3 as the only DNS server on the kid's vlan DHCP server.

narsaw

@dma_pf Thx for the info.

Q. Why do you need to route your kids to your domain controller? Are they actually needing to access domain resources?
A. Yes, The kidsPC point to my DC for authentication purposes, when they want to log into Windows they are authentication against the DC. They are logging into DC01\username. Their PC belong to the DC01 domain all account info is stored there.

Knowing this, is my request possible?

johnpoz

@narsaw you could for sure do conditional forwarders in AD dns.. What I am not clear about and an issue run into with cache and asking local ns that would then forward is the local cache would be served first on another query.

Lets say you queried some bad site and your not filtered, so the local AD then caches this.

Now some client queries for that same thing, and while if it was forwarded it would be filtered, since it in the cache already they get the answer.

Reverse could also be true, kids try to go to something filtered, some block IP is cached. Now you ask and want to get there and you get back from cache blocked IP.

Unless your sure the dns your using local stores different caches for different views.. I think bind can do this.. I am not sure about unbound or MS.

You really need to use different local servers if you want some clients to use a filtered dns that you get from from some forwarded to source.

So for example you could setup your clients to ask your AD directly, which gets forwarded to what you want and doesn't filter what your wanting to filter.

Then setup another dns you point your clients you want to get filtered, this dns forwards to your AD for your local resources so those get answered. But for anything not local it forwards to your filtering dns service. This way you get what you want, and there is no way for a cache to result in someone getting an answer they shouldn't

dma_pf

@narsaw You're not going to be able to do what you want to do if they're being routed through the DC. In that case pfsense sees all the DNS requests as coming for the DC and responds to the DC with the DNS result. The DC then passes the result back to the originating device. So pfsense can't do it.

There might be someway of doing it on the domain controller, but I haven't looked into it before.

SteveITS

@narsaw The conditional forwarding in Windows DNS is set up per domain name so I also don't think what you want to do will work.

If you change DNS on the kids' PCs, they will cache credentials so functionally they should be able to log in but the login will typically be slower than normal, can't talk to the domain for group policy, etc.

An alternative idea might be to set up pfBlocker or similar and block access to the "bad" sites from the kids' IPs.

@narsaw said in Pfsense DNS specific to VLAN:

KidsPCVlan10->DC->Pfsense-> 1.1.1.3 (dns específico para vlan)

SOLUTION 1: YOU CAN USE Pi Hole

SOLUTION 2: YOU CAN CONFIGURE YOUR DNS SERVER TO DO DNS FORWARDING (TO YOUR EXTERNAL DNS SERVER)

SOLUTION 3: AS @SteveITS MENTIONED You can simply use a blacklist on vlan 10 pfsense to block access to dangerous sites.

Whatever your choice, they are all simple and easy.
I'll be here if you need help.

narsaw

@silence for solution 2 I am bit confused on how this would work. The DC does DNS for all PC's in my network (including kidsPC) so if the DC forwards to a kidSafeDNS the all PC that rely on the DC for DNS will be pointed the kidSafeDNS. My understanding is that conditional forwarding does not work for this case.

Here is what I am chasing.

KidsPCVlan10->DC->Pfsense-> 1.1.1.3 (kids safe stuff)
DadPCVlan20->DC->pfsense-> 8.8.8.8 (unrestricted)

OR (is this conditional forwarding?? (does not work I've been told))

KidsPCVlan10->DC-> 1.1.1.3 (kids safe stuff)
DadPCVlan20->DC-> 8.8.8.8 (unrestricted)

I guess this must not be a very common thing that Parents / organizations do? Or perhaps they have multiple DCs

The Pi Hole and pfblockerNG are interesting ideas that are probably worth exploring but would rather using a simple DNS.

SteveITS

Try configuring pfSense to forward your network domain to the DC, and point the kids’ devices to pfSense for DNS.

narsaw

@steveits Thx but that wont work. All PC's in the home is part of my DC's domain so they must all point to it for DNS or else the active directory will not work properly. In my DC, I have this line in my Samba DC config.

dns forwarder = 192.168.77.254

That IP is my pfsense router, which makes pfsense thinks all DNS request is coming from that IP/subnet. which in turn resolves via root certs.

In the end it seems like I have over reached in my home network trying to run it like an IT dept :)

@narsaw said in Pfsense DNS specific to VLAN:

my home network trying to run it like an IT dept :)

no, not at all so far I'm just looking at simple configurations! all he wants to do is simple quick and easy I just see that maybe he's drowning you in a glass of water.

FIRST: IN DHCP OF VLAN 10 AND 20 CONFIGURE DNS OF WINDOWS SERVER AND IN DNS OF WINDOWS SERVER FORWARD TO PFSENSE DNS (IN PFSENSE FORWARD VLAN 10 TO SECURE DNS AND VLAN 20 TO PUBLIC DNS 8.8.8.8 AND READY NO IT IS SO DIFFICULT.

If you don't know how to do it, I can guide you step by step.

dma_pf

@silence said in Pfsense DNS specific to VLAN:

PFSENSE FORWARD VLAN 10 TO SECURE DNS AND VLAN 20 TO PUBLIC DNS 8.8.8.8

How would you do that? Maybe I'm missing something.

My understanding is that all of the DNS requests being forwarded from the domain controller would be coming into pfsense from the IP address of the domain controller. There is no way for pfsense to parse it into different vlans.

Here's a filtered log for a domain computer that uses a domain controller for local DNS queries that then forwards to pfsense. As you can see there are no DNS queries in the logs to port 53 from the computer's ip 192.168.163.8.

And if you run the same query for the domain controller you get the following:

The only thing pfsense is going to see is a DNS request coming from the domain controller. Pfsense will resolve the name and return the result back to the domain controller which then sends the result to the client.

SteveITS

@narsaw said in Pfsense DNS specific to VLAN:

Thx but that wont work. All PC's in the home is part of my DC's domain so they must all point to it for DNS or else the active directory will not work properly

That's where I'm trying to get you to. :) I've done it. Especially useful if IPv6 is defaulting to the router DNS. In the DNS Resolver settings add a Domain Override for your example.lan domain name pointing to the DC IP. Any queries for example.lan coming to pfSense will be forwarded to the DC. The kids can use pfSense for DNS, which otherwise is set to forward to 1.1.1.3 or whatever.

The rest of the PCs query the DC directly. I think that will accomplish what you want.

@dma_pf said in Pfsense DNS specific to VLAN:

How would you do that? Maybe I'm missing something.

PC CLIENTE VLAN 10 ---> PFSENSE DNS VLAN 10 ---> DNS SERVER ----> DNS SECURE 1.1.1.3
PC CLIENTE VLAN 20 ---> PFSENSNE DNS VLAN 20 ---> DNS PUBLIC 8.8.8.8

narsaw

@silence You may have missed the earlier discussion as all PCs have are pointing the DC for DNS and not pfsense directly. The DC forwards request to pfsense that it does not know about (i.e non local DNS request)

@narsaw said in Pfsense DNS specific to VLAN:

You may have missed the earlier discussion as all PCs have are pointing the DC for DNS and not pfsense directly. The DC forwards request to pfsense that it does not know about (i.e non local DNS request)

I don't know if you still have a problem, but both the answer @SteveITS gave you and mine can work, it's up to you which one you want to use! but your case is very easy.

I even have the same situation as you at my work.

all pc use their DC (FOR LOCAL DNS) BUT FOR SOMETHING EXTRA THEY GO TO PFSENSE DNS AND HE KNOWS WHAT TO DO I HAVE VLAN RESTINCTIONS WITHOUT ANY TYPE OF PROBLEM. AND IT HAS ALWAYS WORKED VERY WELL.