Override client DNS servers?



  • In DD-WRT, I was able to run a script a single time that would make it so all DNS requests would use the one configured on the router, even if the client had specified a different one. Does pfSense allow this functionality? I'm using to use OpenDNS so I can filter out certain categories of websites, but if I change the DNS server on my local machine it overrides the DNS servers set in pfSense. Can I somehow force all DNS requests to go through the DNS servers I specify?



  • You can force them with a block or reject DNS rule on top Picture



  • Thank you for the reply Perry. I understand what this rule is doing- dropping/rejecting all outbound port 53/UDP traffic. Meaning, if I try and do any DNS lookups outside of my own network, it will fail. But, it doesn't appear to be working. Using http://www.internetbadguys.com/ as an example, I have OpenDNS servers as my DNS servers in pfSense, and Google's on my laptop, and my laptop is using Google's DNS servers instead. Additionally, an nslookup for a domain shows that I'm using my laptop's DNS servers. Any ideas?



  • clear states and ipconfig /flushdns if your client is windows. Check also that you did untick the isp dns override blow where you entered opendns ip's



  • Hi there.

    I haven't had any luck getting this to work. I added the rule…

    Cleared my DNS entries…

    Changed my DNS servers to NOT be 192.168.1.1 (used Google's new 8.8.8.8)

    Cleared the States in pfSense, but I can still go outbound UDP/53…

    $ nslookup google.com
    Server:		8.8.8.8
    Address:	8.8.8.8#53
    
    Non-authoritative answer:
    Name:	google.com
    Address: 64.233.169.106
    Name:	google.com
    Address: 64.233.169.105
    Name:	google.com
    Address: 64.233.169.147
    Name:	google.com
    Address: 64.233.169.99
    Name:	google.com
    Address: 64.233.169.103
    Name:	google.com
    Address: 64.233.169.104
    
    

    If I change the rule to block all UDP traffic, it does not allow the nslookup to continue. But if I limit it to port 53, it's allowed.

    I'm trying to Intercept the DNS like this, which seems to work for iptables. Does pf not have a rule like this?



  • Sorry for posting a link to a faulty picture.

    Change source port to * and reboot


Log in to reply