DNS as Conditional Resolver

wojciech__ · May 31, 2024, 1:39 PM

Hello all, please I would like to ask for advice and help with configuration of following scenario:
I need to use pfblockerNG so for all of my subnets I need to set up as DNS firewall IP address.
Got LAN subnet and DMZ subnet
All internal LAN and DMZ subnets should use firewall as DNS server, then firewall should resolve the DNS queries using other two servers as DNS servers inside the infrastructure.
Question is:
How to tell firewall to just simply resolve DMZ queries allowing clients connection to internet webpages but for LAN additional clients resolving internal DNS queries. Some kind of conditional forwarder if its DMZ or LAN subnet. If LAN then forward queries to dedicated DNS servers but if DMZ then just simply resolve them and drop if they are trying to connect with internal IT domain DNS addresses.

Gertjan · May 31, 2024, 1:41 PM

@wojciech__

DMZ : plain resolving using pfBLockerng
LAN : Forwarding to another local forwarder or resolver, using pfBLockerng

Not sure ....
If it is possible sing the GUI only, you should set up the GUI part of unbound as 'generic' as possible, and then build your own unbound config with this :

login-to-view

You'll be needing the manual : unbound.conf

Normally, if this wasn't pfSense, I would prefer (I guess) firing up an instance per interface the good old classic way, using a config setup for each instance.
One that listens on DMZ port 53 UDP and TCP, and you'll finsih it up with resolving
LAN config : same thing, but on interface LAN.

But again, not sure if this is possible - maybe with what is called 'views' ?

@wojciech__ said in DNS as Conditional Resolver:

but if DMZ then just simply resolve them and drop if they are trying to connect with internal IT domain DNS addresses

host names are like phone numbrs and mail addresses : whatever you think of them, consider them 'public' knowledge.
It's the firewall that allows access to a resource.
So, if some one on your DMZ, or even me here, know the hostname of a device of your LAN, I still wouldn't be able to resolve and visit it. You have a firewall ^^

wojciech__ · May 31, 2024, 1:50 PM

@Gertjan Hey, thank You for this reply
I've read that there are some options to set it up, but nothing that I would understand correctly, sadly.
Im asking for this because I would like to avoid big workaround but there might be none of it.
I had a hope there is some option to use build-in ACLs in DNS Resolver to do so or set up conditions of forwarding the queries using DNS Forwarder.
I dont want to give from DMZ any access to internal DNS server and I need to set up on every client firewall as DNS to use DNS-blacklisting...
Option just to simply set for DMZ IP address like 8.8.8.8 is not that good for me because of also security policy reasons.

I havent found any guides or examples where someone used it config anywhere.
Maybe pfblocker blacklisting would work if I will set up way like it?
client-(DNS Query)->internal DNS server -> firewall as DNS server -> World DNS
Do you think that pfblocker DNS-Blacklisting would work if its about resolving the queries from clients, send trough internal DNS to firewall?

Gertjan · May 31, 2024, 2:08 PM

@wojciech__

Wait .... what about this :
Use unbound as the resolver with pfBlockerng, and have it listing (bind to) on DMZ only.
Now you can also activate the DNS Forwarder (dnsmasq) using also port 53, and use this one on the LAN interface only, and set up the DNS servers where it has to forward to. Your LAN won't benefit from pfBlockerng.