Whitelisting Only Specific External DNS Resolutions (e.g., only allowed = api.yubico.com)
-
Apologies if it’s already been asked, but I searched for terms like “Whitelisting DNS queries” to no avail. I’m trying to setup the bind9 configuration to allow certain hosts (e.g., 192.168.10.100, 192.168.10.101) to be able to query the pfsense for specific external domains, and only those domains. For example, the internal hosts of 192.168.10.100, 192.168.10.101 to only allow looking up api.yubico.com, api2.yubico.com, and api3.yubico.com. Of the various ACL options (e.g., Deny, Refuse, Allow, Allow Snoop, Deny Nonlocal, Refuse Nonlocal), I’m trying to Allow 192.168.10.100, 192.168.10.101, but only to external api.yubico.com, api2.yubico.com, and api3.yubico.com so I can use Yubico’s OTP module on internal NIX hosts.
CHATGPT wasn’t much help, as it seems to only be focusing on setting Deny, Refuse, Allow, Allow Snoop, Deny Nonlocal, Refuse Nonlocal. Any help is appreciated.