Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenDNS - Block everything else

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rustydusty1717
      last edited by

      I recently switched my workplace to OpenDNS, obviously for more control over content. Having issues with users simply changing their DNS. Managed to find the following article:

      http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

      My setup is exact same, except DNS is forwarded by the domain controller, which has an IP of 192.168.1.20. Here's a quick screenshot of what I tried, and didn't succeed. After the block was added, all DNS came to a halt, even though DHCP/DNS are provided by the 192.168.1.20 machine. Any ideas?

      dnsblock.JPG
      dnsblock.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • R
        rustydusty1717
        last edited by

        This is what I also have tried, with no success.

        dnsblock1.JPG
        dnsblock1.JPG_thumb

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          If your local systems get DNS from your domain controller, you need to allow DNS to get out from your domain controller.

          So you'd really want something like this:

          pass tcp/udp from 192.168.1.20 to any port 53ย  โ€“ Let domain controller get DNS

          block tcp/udp from LAN subnet to any port 53 -- keep the riff-raff from getting DNS from anywhere else.

          pass any from LAN subnet to any -- Default allow LAN to any rule

          If that works then lock the destination on the domain controller rule down to just OpenDNS and/or the firewall's LAN IP, depending on whether or not you want the DC to hit the DNS forwarder or go right to OpenDNS.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • R
            rustydusty1717
            last edited by

            Would that be the priority order you would suggest as well?

            1. Local domain controller DNS out
            2 local subnet block all DNS
            3 local subnet out all

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              The exact order I wrote them in.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • R
                rustydusty1717
                last edited by

                It seems to have done the trick. Did a few tests and it seems as soon as a DNS is manually entered on any sort of a device, everything stops resolving. For future reference for anyone who may stumble upon this thread, I will include a screenshot of what it should look like. The source will be either be a local DNS on your network, or your pfsense firewall.

                block2.JPG
                block2.JPG_thumb

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.