[SOLVED] Force OpenDNS for clients with static ip
-
Hello…
I need help urgently . My clients are configured for static ip address on windows . Hence they also have to provide a DNS server . I have OpenDNS as my dns servers in System>General setup . But if i add google dns (8.8.8.8) in my client , pfsense uses it instead of opendns . i have firewall rules added to block all dns except opendns the way shown here http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers .
But it is not working this way . It blocks dns request to 8.8.8.8 but doesnt redirect them to opendns . And yes , i cannot use dhcp .Thanks
-
Try this thread to adopt it to DNS:
http://forum.pfsense.org/index.php?topic=57756.0;prev_next=nextIn general it does NAT for a specific port on your LAN interface. Then it redirects this to the loopback address which is pfsense.
So all traffic with destination port 53 will be NATted and redirected to pfsense so that the pfsense internal DNS can be used.
I never tryed that but on other threads - I could not find now - other people got this working. If I remember correct they used additikonal manual Outbound NAT rules for the DNS traffic.Searching the forum for the "redirect NTP" keywords will bring you hopefully to some threads with NTP and DNS redirect.
-
I'll try it . Let us see if it works . Thanks !
-
Thanks @Natchfalke . Now I can force clients with static ip to use OpenDNS no matter what DNS servers that they have in their PCs. This would have been very easy for DCHP clients using DNS forwarded but for static clients do as follows :
1. Goto Firewall > Aliases
Add a new alias
Name - opendns ( or anythin u wish .. nthin particular abt this )
Type - Host(s)
Now in Host(s) add IPs of OpenDNS i.e add two ips 208.67.222.222 and 208.67.220.220
Save this2. GO to Firewall > NAT
Add a Port Forward ( the first tab )
protocol TCP/UDP
Destination - any || Port 53 ( or select DNS in dropdown )Source - any || Port - any
Redirect Target ip - type opendns ( or the name you gave to the alias )
Redirect port - DNS (53)
Save this3. Follow these 2-3 small steps http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
And you are good to go ….
Hope This Helps !!
Cheers !! -
Hi,
thank you for your feedback and for your tests.
I would be interested in if I could skip the "Alias part" if I just add 127.0.0.1 (loopback) as redirect IP on the NAT rule.
Did you test this? Will this work?My intention is that this redirect rule will always use the pfsense internal DNS servers which are configured under system –> general setup.
Perhaps you tried this or could give feedback if it works.
Thank you!
-
Yes 127.0.0.1 ( loopback ) works fine !
Thanks again @natchfalke
-
Hi,
I'm a little confused here (this seems to be the case often, for me ::) ).
Do you actually need to do this:
3. Follow these 2-3 small steps http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
And you are good to go ….
if you have already set up the NAT rule ? If so, why ?
-
Looks like you are absolutly right. I do not see any reason why blocking other DNS servers on firewall rules if you have a NAT rule setup.
But I never tried it myself.But I think that the wiki shows a way to block DNS servers other than pfsense - but not redirect these requests.