OpenDNS - Block everything else
I recently switched my workplace to OpenDNS, obviously for more control over content. Having issues with users simply changing their DNS. Managed to find the following article:
My setup is exact same, except DNS is forwarded by the domain controller, which has an IP of 192.168.1.20. Here's a quick screenshot of what I tried, and didn't succeed. After the block was added, all DNS came to a halt, even though DHCP/DNS are provided by the 192.168.1.20 machine. Any ideas?
This is what I also have tried, with no success.
If your local systems get DNS from your domain controller, you need to allow DNS to get out from your domain controller.
So you'd really want something like this:
pass tcp/udp from 192.168.1.20 to any port 53 – Let domain controller get DNS
block tcp/udp from LAN subnet to any port 53 -- keep the riff-raff from getting DNS from anywhere else.
pass any from LAN subnet to any -- Default allow LAN to any rule
If that works then lock the destination on the domain controller rule down to just OpenDNS and/or the firewall's LAN IP, depending on whether or not you want the DC to hit the DNS forwarder or go right to OpenDNS.
Would that be the priority order you would suggest as well?
1. Local domain controller DNS out
2 local subnet block all DNS
3 local subnet out all
The exact order I wrote them in.
It seems to have done the trick. Did a few tests and it seems as soon as a DNS is manually entered on any sort of a device, everything stops resolving. For future reference for anyone who may stumble upon this thread, I will include a screenshot of what it should look like. The source will be either be a local DNS on your network, or your pfsense firewall.