DNS Routing



  • Hi, we have several IPs coming in from a T1 and connected to pfsense. OpenDNS with content filtering is used for the main IP configured in WAN. For the other IPs the ISP gives us, I rerouted certain computers to use them (under firewal-rules) and it works great, however DNS is still using the main IP's DNS servers and this results in blocked website. The purpose of routing some computers away from the main IP is to get some websites unblocked. Using an alternate DNS server and manually configuring it on the computer itself is not an option because we have a Domain Controller set up, and it is vital to route all DNS queries primarily through the DC's DNS server. How can I tell pfsense not to use WAN to get DNS queries, rather use the IP address that it's originating from?
    I also set up a 1:1 NAT, no resolution.
    Thank you in advance.



  • If all of your clients are pointing to the DC for DNS, all of your queries will look like they are coming from the DC so you won't be able to differentiate the source.



  • Oh, I see
    Regardless, is there any other way around this? I would like to keep a loophole referenced for a future installation.



  • You could have the domain controller's DNS traffic go out the other link to OpenDNS for the non-filtered traffic.
    Point all of the clients that don't need to be filtered directly to the controller for DNS.

    Enable the pfSense DNS forwarder. Use the option to forward requests for your active directory DNS name to your domain controller.
    Then point all of the clients that need to be filtered to pfSense.



  • I actually figured out another way. Now, forget I even mentioned a DC. When I specify an alternate external IP for certain computers, how do I make DNS also use the alternate external IP, rather than the WAN IP? If I need to make a static route, please let me know exactly what to do, I have no idea at all what a static route is and always have trouble creating one when testing.



  • You should be able to do it using outbound NAT if all of your clients point directly to the OpenDNS servers.



  • Attempted that, did a flushdns, tried a totally different website that is blocked on my WAN IP, still no success. DNS trace shows that it is using the WAN IP for DNS queries. Any other way?
    Thanks


Log in to reply