Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS as Conditional Resolver

    DHCP and DNS
    2
    4
    230
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wojciech__
      last edited by

      Hello all, please I would like to ask for advice and help with configuration of following scenario:
      I need to use pfblockerNG so for all of my subnets I need to set up as DNS firewall IP address.
      Got LAN subnet and DMZ subnet
      All internal LAN and DMZ subnets should use firewall as DNS server, then firewall should resolve the DNS queries using other two servers as DNS servers inside the infrastructure.
      Question is:
      How to tell firewall to just simply resolve DMZ queries allowing clients connection to internet webpages but for LAN additional clients resolving internal DNS queries. Some kind of conditional forwarder if its DMZ or LAN subnet. If LAN then forward queries to dedicated DNS servers but if DMZ then just simply resolve them and drop if they are trying to connect with internal IT domain DNS addresses.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @wojciech__
        last edited by Gertjan

        @wojciech__

        DMZ : plain resolving using pfBLockerng
        LAN : Forwarding to another local forwarder or resolver, using pfBLockerng

        Not sure ....
        If it is possible sing the GUI only, you should set up the GUI part of unbound as 'generic' as possible, and then build your own unbound config with this :

        7a772668-93af-4b0d-bf43-57c9234d514c-image.png

        You'll be needing the manual : unbound.conf

        Normally, if this wasn't pfSense, I would prefer (I guess) firing up an instance per interface the good old classic way, using a config setup for each instance.
        One that listens on DMZ port 53 UDP and TCP, and you'll finsih it up with resolving
        LAN config : same thing, but on interface LAN.

        But again, not sure if this is possible - maybe with what is called 'views' ?

        @wojciech__ said in DNS as Conditional Resolver:

        but if DMZ then just simply resolve them and drop if they are trying to connect with internal IT domain DNS addresses

        host names are like phone numbrs and mail addresses : whatever you think of them, consider them 'public' knowledge.
        It's the firewall that allows access to a resource.
        So, if some one on your DMZ, or even me here, know the hostname of a device of your LAN, I still wouldn't be able to resolve and visit it. You have a firewall ^^

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        W 1 Reply Last reply Reply Quote 0
        • W
          wojciech__ @Gertjan
          last edited by

          @Gertjan Hey, thank You for this reply
          I've read that there are some options to set it up, but nothing that I would understand correctly, sadly.
          Im asking for this because I would like to avoid big workaround but there might be none of it.
          I had a hope there is some option to use build-in ACLs in DNS Resolver to do so or set up conditions of forwarding the queries using DNS Forwarder.
          I dont want to give from DMZ any access to internal DNS server and I need to set up on every client firewall as DNS to use DNS-blacklisting...
          Option just to simply set for DMZ IP address like 8.8.8.8 is not that good for me because of also security policy reasons.

          I havent found any guides or examples where someone used it config anywhere.
          Maybe pfblocker blacklisting would work if I will set up way like it?
          client-(DNS Query)->internal DNS server -> firewall as DNS server -> World DNS
          Do you think that pfblocker DNS-Blacklisting would work if its about resolving the queries from clients, send trough internal DNS to firewall?

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @wojciech__
            last edited by Gertjan

            @wojciech__

            Wait .... what about this :
            Use unbound as the resolver with pfBlockerng, and have it listing (bind to) on DMZ only.
            Now you can also activate the DNS Forwarder (dnsmasq) using also port 53, and use this one on the LAN interface only, and set up the DNS servers where it has to forward to. Your LAN won't benefit from pfBlockerng.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.