DNS forwarder custom options "Invalid custom options"
-
I use the DNS resolver for my captive portal only. Captive portal is on its own subnet thus interface - lets call the interface VLANGUEST2. We use an external 3rd party DNS filtering company to handle filtering for the captive portal guests that connect to it (for example I will say that this external 3rd party DNS IP will be 4.3.2.1). Our internal windows DNS server for example is 10.1.2.3 of which we have full control.
I have set up the custom options so that it has these two lines:
no-resolv server=4.3.2.1
In the DNS resolver host overrides and domain overrides settings I have our windows DNS server and essential hosts (since im using the no-resolv).
this works just fine.
Fast forward to today - I am going to add a second captive portal on a new subnet/interface (lets call it VLANGUEST3) for different guests. These guests will be using a DIFFERENT forwarding DNS address - lets call it 4.3.2.2 this is due to different filtering requirements and cannot use the same DNS forwarding filter that the "other" guests use. This is an operational requirement.
Looking at the manual for DNSmasq I think I should be able to do the following:
select both interfaces VLANGUEST2 and VLANGUEST3, then in custom options have:
no-resolv server=4.3.2.1@VLANGUEST2 server=4.3.2.2@VLANGUEST3
However, this results in an "invalid custom options" error when I attempt to save in pfsense. I am assuming pfsense doesnt like the @ although it should be valid for a custom option:
https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<interface>][@<source-ip>[#<port>]] The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both.
I know linux BIND has "views" that could do this but Windows DNS cannot (else I would simply forward all requests to our windows DNS and let that handle forwarding based on source IP).
My alternative would be to spool up a simple linux VM with BIND acl for each of my subnets and views to forward each acl to the specific DNS forwarding IP.
Then I set my pfsense forwarder custom option to be server=<linux vm with BIND acl and views> but that adds complexity of course. -
It seems that pfsense has a BIND package. I might see how I can get BIND running with views and use BIND as a forward only DNS server with a pair of views.