Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Change DNS server for a set of IPs in ALIAS (DNS Forwarder)

    Scheduled Pinned Locked Moved DHCP and DNS
    dnsforwarderopenvpn client
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adamitj
      last edited by

      Hello.

      I'm using pfSense as a DNS Forwarder successfully.

      pfSense IP: 192.168.70.3
      Network DNS server: 192.168.70.4
      PIA DNS server for OpenVPN: 10.0.0.243

      My pfSense server is the DNS in DHCP server configuration, which forward all DNS requests to my network DNS server.

      Now I have also successfully implemented OpenVPN client (PIA) and assigned a set of IP hosts (200+) under alias PIA_ENABLED_HOSTS. But for these hosts in the alias, I would like to assign a different DNS, the one provided by PIA (10.0.0.243).

      I have statically made this change by assigning a manual IP for DNS in the DHCP releases, but since there are many hosts, is there a way to make the pfSense to forward DNS requests to 10.0.0.243 instead of the configured 192.168.70.4 only for the IPs in the PIA_ENABLED_HOSTS alias?

      I've tried a manual NAT port forward but it doesn't work...

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @adamitj
        last edited by

        @adamitj said in Change DNS server for a set of IPs in ALIAS (DNS Forwarder):

        I've tried a manual NAT port forward but it doesn't work...

        Cannot think of any reason, why this should not work, as long as the hosts send unencrypted DNS requests on port 53.

        If you have created a policy routing rule to direct the concerned upstream traffic to PIA, consider to put a separate rule w/o a gateway stated for allow DNS requests above of it.

        A 1 Reply Last reply Reply Quote 0
        • A
          adamitj @viragomann
          last edited by

          @viragomann
          Guess what? You're tottaly right.
          After reading your answer I realized that Google Chrome in my workstations were doing DNS over TLS requests.
          Just duplicated the rule to cover TLS and everything is working now.

          Thanks you for the help!

          1e622e12-8ece-4f94-85cd-a454b8a9d647-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @adamitj
            last edited by

            @adamitj
            DoT requests which are redirected to another server won't work anyway, because the SSL verification will fail.

            Therefore I simply block all DoT and DoH in my network. Hence the clients have to do unencrypted DNS requests, which I can redirect as needed.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.