OpenDNS - Block everything else

  • I recently switched my workplace to OpenDNS, obviously for more control over content. Having issues with users simply changing their DNS. Managed to find the following article:

    My setup is exact same, except DNS is forwarded by the domain controller, which has an IP of Here's a quick screenshot of what I tried, and didn't succeed. After the block was added, all DNS came to a halt, even though DHCP/DNS are provided by the machine. Any ideas?

  • This is what I also have tried, with no success.

  • Rebel Alliance Developer Netgate

    If your local systems get DNS from your domain controller, you need to allow DNS to get out from your domain controller.

    So you'd really want something like this:

    pass tcp/udp from to any port 53  – Let domain controller get DNS

    block tcp/udp from LAN subnet to any port 53 -- keep the riff-raff from getting DNS from anywhere else.

    pass any from LAN subnet to any -- Default allow LAN to any rule

    If that works then lock the destination on the domain controller rule down to just OpenDNS and/or the firewall's LAN IP, depending on whether or not you want the DC to hit the DNS forwarder or go right to OpenDNS.

  • Would that be the priority order you would suggest as well?

    1. Local domain controller DNS out
    2 local subnet block all DNS
    3 local subnet out all

  • Rebel Alliance Developer Netgate

    The exact order I wrote them in.

  • It seems to have done the trick. Did a few tests and it seems as soon as a DNS is manually entered on any sort of a device, everything stops resolving. For future reference for anyone who may stumble upon this thread, I will include a screenshot of what it should look like. The source will be either be a local DNS on your network, or your pfsense firewall.