Override client DNS servers?
In DD-WRT, I was able to run a script a single time that would make it so all DNS requests would use the one configured on the router, even if the client had specified a different one. Does pfSense allow this functionality? I'm using to use OpenDNS so I can filter out certain categories of websites, but if I change the DNS server on my local machine it overrides the DNS servers set in pfSense. Can I somehow force all DNS requests to go through the DNS servers I specify?
You can force them with a block or reject DNS rule on top Picture
Thank you for the reply Perry. I understand what this rule is doing- dropping/rejecting all outbound port 53/UDP traffic. Meaning, if I try and do any DNS lookups outside of my own network, it will fail. But, it doesn't appear to be working. Using http://www.internetbadguys.com/ as an example, I have OpenDNS servers as my DNS servers in pfSense, and Google's on my laptop, and my laptop is using Google's DNS servers instead. Additionally, an nslookup for a domain shows that I'm using my laptop's DNS servers. Any ideas?
clear states and ipconfig /flushdns if your client is windows. Check also that you did untick the isp dns override blow where you entered opendns ip's
I haven't had any luck getting this to work. I added the rule…
Changed my DNS servers to NOT be 192.168.1.1 (used Google's new 220.127.116.11)
Cleared the States in pfSense, but I can still go outbound UDP/53…
$ nslookup google.com Server: 18.104.22.168 Address: 22.214.171.124#53 Non-authoritative answer: Name: google.com Address: 126.96.36.199 Name: google.com Address: 188.8.131.52 Name: google.com Address: 184.108.40.206 Name: google.com Address: 220.127.116.11 Name: google.com Address: 18.104.22.168 Name: google.com Address: 22.214.171.124
If I change the rule to block all UDP traffic, it does not allow the nslookup to continue. But if I limit it to port 53, it's allowed.
I'm trying to Intercept the DNS like this, which seems to work for iptables. Does pf not have a rule like this?
Sorry for posting a link to a faulty picture.
Change source port to * and reboot