DNS forwarding per VLAN
-
Curious if its possible but im not entirely sure but is there a way to have pfSense be the default DNS server for a LAN but unknown queries get forwarded to a custom forwarder?
In my scenario, I have a classroom where certain sites/categories should be blocked. I don't want to do pfBlocker because the settings apply to the entire firewall, all interfaces. I also am not going to use python-mode as I am not going to whitelist a /23 range. One option I have is to use Cisco Umbrella but i would need to set pfsense forwarder pointing to the Umbrella service which i dont want to do. So for this specific vlan can i have pfsense operate as the dns server and any unknown queries i can forward to a forwarder of my choosing? -
Define 'unknown queries' here. Do you mean anything that isn't a local host or domain override?
That's what pfSense does with Unbound in forwarding mode or DNSMasq.
Steve
-
@stephenw10 pretty much.
So for local queries to my servers - smtp or my SAN for example, that should resolve internally which is why i want to keep pfsense as the dns resolver for the LAN. For sites that need to be forwaded for content filtering for example, send those queries to Umbrella or OpenDNS.Firewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
Ok, so that's the forwarder does by default you just need to add host overrides or a domain override to some other server for your domain.
If you don't want to use Unbound in forwarding mode you can use DNSMasq running on a different port with a port forward on the interfaces you want clients to hit it from. Then you can run both services and one will be filtered.
Steve
-
@stephenw10 said in DNS forwarding per VLAN:
to add host overrides
Thats a very good idea here. Thanks Stephen. Appreciate the quick resolution.
-
@michmoor I have not had time to test lately - but if unbound uses a shared cache you can not do this. Now it might be possible with views to do something like this - but last I checked you could not specific do view forwarders, and I don't think it creates a different cache per view.
Now pretty sure bind can do this, as it creates different caches if not mistaken per view.
If you want to to do something like this your local dns has to create separate caches, or you run into a problem with unfiltered looking up host.xyz.com and it getting locally cached, and then filtered client asking for host.xyz.com and get returned the cached value vs it looking up via some filtering forwarded dns that would return blocked.
And the reverse happening where blocked gets cached, and then someone that is suppose to be unfiltered getting back the blocked cache.
The most reliable way to do this would be to use 2 different dns, that both have same local data.. Where ns1 you run is unfiltered and ns2 you run is filtered. And you point your clients to the specific ns depending if you want them filtered or not filtered.
Now you might be able to do something new in unbound there has been some changes of late and they did add rpz policies, etc. . I just do not have any need or desire to do this currently.. And of the mindset if worth filtering - worth filtering for all. So haven't played with if this is now possible in an easy to do way.
edit: Looks like steve mentioned using unbound and dnsmasq on pfsense - yeah that could work for sure.
