OpenDNS - Block everything else
-
I recently switched my workplace to OpenDNS, obviously for more control over content. Having issues with users simply changing their DNS. Managed to find the following article:
http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
My setup is exact same, except DNS is forwarded by the domain controller, which has an IP of 192.168.1.20. Here's a quick screenshot of what I tried, and didn't succeed. After the block was added, all DNS came to a halt, even though DHCP/DNS are provided by the 192.168.1.20 machine. Any ideas?
-
This is what I also have tried, with no success.
-
If your local systems get DNS from your domain controller, you need to allow DNS to get out from your domain controller.
So you'd really want something like this:
pass tcp/udp from 192.168.1.20 to any port 53 – Let domain controller get DNS
block tcp/udp from LAN subnet to any port 53 -- keep the riff-raff from getting DNS from anywhere else.
pass any from LAN subnet to any -- Default allow LAN to any rule
If that works then lock the destination on the domain controller rule down to just OpenDNS and/or the firewall's LAN IP, depending on whether or not you want the DC to hit the DNS forwarder or go right to OpenDNS.
-
Would that be the priority order you would suggest as well?
1. Local domain controller DNS out
2 local subnet block all DNS
3 local subnet out all
-
The exact order I wrote them in.
-
It seems to have done the trick. Did a few tests and it seems as soon as a DNS is manually entered on any sort of a device, everything stops resolving. For future reference for anyone who may stumble upon this thread, I will include a screenshot of what it should look like. The source will be either be a local DNS on your network, or your pfsense firewall.
