DNS based on requesting IP

DrPhil

I have

pfSense plus 21.05.2
DNS resolver in forwarding mode
that forwards all queries to openDNS

DNS queries to anything other than pfSense are blocked.

Now, I would like one client to have access to a different DNS (say google).

Is it possible to configure pfSense such that 1 client IP goes to 1 DNS, while everyone else goes to another?

(I would of course prefer a simpler solution, but if needed I can write custom scripts. Just need some pointers on where to start).

mcury

You can try this method, I didn't test so I'm not sure if its going to work..

Assuming that you want host 192.168.0.2 to use Google and leave the 192.168.0.0 network using the opendns.

Unbound view mode is not compatible with pfblockerng python mode.

server:
    access-control-view: 192.168.0.2/32 google
    access-control-view: 192.168.0.0/24 opendns
view:
    name: "google"
    view-first: yes
    forward-addr: 8.8.8.8
view:
    name: "opendns"
    view-first: yes
    forward-addr: 208.67.222.222
    forward-addr: 208.67.222.222

The other way would be to add the client IP to a static DHCP address, then create a firewall rule allowing that IP to reach the google DNS server.

DrPhil

@mcury said in DNS based on requesting IP:

The other way would be to add the client IP to a static DHCP address, then create a firewall rule allowing that IP to reach the google DNS server.

You know that is such an easy thing to do, that I'll just stick with that for now. Thank you !

johnpoz

@drphil problem you could run into - I do not believe unbound creates multiple caches. so if you google something via google and it gets local cached, you now have problem opendns user comes in and pulls from cache something that might of been blocked.

If you want stuff using google and others using opendns - just point to them directly.. Or run multiple dns on your local network. 1 for those that will use google, and other for those that will use opendns. That way you can not run into cache contamination.

You could look to using bind, I believe it can do caches based on the views. Unbound might do it, but I don't recall seeing such.

DrPhil

Thank you @johnpoz
That is an important clarification and even more of a reason why I want to go with a simpler solution of letting some clients set their own DNS.
(unless I completely misunderstood you?).

johnpoz

@drphil no you for sure need to make sure if your going to do it with unbound or bind or pihole, etc.

Trying to forward clients of your dns to different dns services that might filter or not filter could lead to cache contamination.

So you happen to visit adultstuff.com and not filtered because your using google.com this then gets cached at say 1.2.3.4.. Now someone else comes in and adultstuff.com should be blocked by opendns. But since unbound has it cached already, it just returns it and that client can go to adultstuff.com when they shouldn't be able to, etc..

It is something to be aware of when trying to forward different clients to different dns..

To be able to do that with dns software, you would have to be sure that the views that you setup for client A using google, does not mix with the cache that is used for client B that should be using opendns.. Or you could run into such problem where something is filtered when it shouldn't or not filtered when it should be because its already in the cache.

moelassus

@drphil Something I experimented with was NAT redirection of DNS queries. I already NAT redirect (Port Forward) any queries of external DNS Servers to pfSense as described here (https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html). For grins I wondered if I could create a second NAT redirect. It appeared to work. What I did was create a second NAT redirect that leveraged an Alias and instead of redirecting the request to pfSense I redirected it to 1.1.1.1. I had to make sure the corresponding firewall rule went before my original redirect. I also had to change the rule from !LAN Address to LAN Address since the clients are all configured to point to pfSense.

With logging enabled I could clearly see the clients defined by the alias hitting 1.1.1.1 instead of pfSense. The downside to this is that if rely on pfSense for local client name resolution then this NAT redirect would break it.

I was curious if I could use this as a way to ensure clients using a VPN tunnel used a different DNS server and that worked. Losing local name resolution was a deal killer for me though.

I'm sure if there are holes in this idea someone will point them out. ;)

johnpoz

@moelassus wouldn't it just be easier to just point them to the dns you want vs the redirection?

Yeah loss of local name resolution could be a problem.. But clearly nobody needs this - because the big guys just want you to send all your dns to them via doh ;)

moelassus

@johnpoz It was an academic exercise to see if it would work. It did but suffered the local resolution limitation. I thought I would share it in case someone else might benefit from it.

johnpoz

@moelassus Yeah its an option ;)

nattygreg

Have a go at this in DNS RESOLVER CUSTOM OPTION

forward-addr: 1.1.1.1@853 #Cloudflare
forward-zone:
name: "netflix.com"
forward-addr: 9.9.9.9

with this configuration, all my traffic goes to cloudflare except netflix, my netflix goes to quad9 dns, you can check in the dns resolver status. Maybe something like this will help you.

I assume name would be name of host or ip address of the device.