OpenDNS for some users not for all? without vlan?

SIPpyCup

as I understand it I'll need to replace my unmanaged tplink switch before I can use vlan.  But that could be moot for all I don't know

Can I inflict OpenDNS resolvers on some users and the default set for everyone else?  Hopefully I can inflict a set of resolvers instead of one so they can fall back on other resolvers blocking untowardly content, too.

 	2.0.3-RELEASE (i386)
built on Fri Apr 12 10:22:21 EDT 2013
FreeBSD 8.1-RELEASE-p13

dell optiplex "Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz " 4 gigs of 4 max ram.  One 2 port Intel 1000 pci-e nic that was a shocking $57 'bulk' bargain on amazon.

I was attracted to pfSense party because of resolver enforcement
http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

but predominately to avoid SIP ALG on ISP's router.

wallabybob

@SIPpyCup:

Can I inflict OpenDNS resolvers on some users and the default set for everyone else?

How do you decide which users get OpenDNS?

rjcrowder

@SIPpyCup:

Can I inflict OpenDNS resolvers on some users and the default set for everyone else?  Hopefully I can inflict a set of resolvers instead of one so they can fall back on other resolvers blocking untowardly content, too.

Can be accomplished via firewall rules if:
1.) you know the addresses of the machines that should not have to use OpenDNS
2.) you don't mind configuring the "non OpenDNS" machines to use a different DNS server

Steps to set it up:
1.) Setup pfsense to use OpenDNS by default
2.) Create rule to block all outbound access on port 53 to DNS servers other than OpenDNS.
3.) Create another rule (before the block rule) that allows a range of internal IP addresses to hit any external IP address on port 53
4.) Assign an IP address that is in the range defined in step 2 to the machines (by MAC) which are allowed to use any DNS server
5.) Modify client config for machines allowed to hit non OpenDNS to use whatever DNS server you desire

If you want to do this "automatically" - i.e. without changing the client to use a different DNS server, you might be able to create a rule that forwards outbound port 53 connections for a range of internal IP addresses to different DNS servers… I haven't tried to get this working though.

SIPpyCup

thank you for your detailed reply.  I think my install was corrupted so I'll be installing fresh.  I'll apply your ruleset and let you know how it fares against devious teens.

AirCooledTiger

@rjcrowder:

@SIPpyCup:

Can I inflict OpenDNS resolvers on some users and the default set for everyone else?  Hopefully I can inflict a set of resolvers instead of one so they can fall back on other resolvers blocking untowardly content, too.

Can be accomplished via firewall rules if:
1.) you know the addresses of the machines that should not have to use OpenDNS
2.) you don't mind configuring the "non OpenDNS" machines to use a different DNS server

Steps to set it up:
1.) Setup pfsense to use OpenDNS by default
2.) Create rule to block all outbound access on port 53 to DNS servers other than OpenDNS.
3.) Create another rule (before the block rule) that allows a range of internal IP addresses to hit any external IP address on port 53
4.) Assign an IP address that is in the range defined in step 2 to the machines (by MAC) which are allowed to use any DNS server
5.) Modify client config for machines allowed to hit non OpenDNS to use whatever DNS server you desire

If you want to do this "automatically" - i.e. without changing the client to use a different DNS server, you might be able to create a rule that forwards outbound port 53 connections for a range of internal IP addresses to different DNS servers… I haven't tried to get this working though.

This is very close to what I am trying to accomplish.  HOWEVER, what I want to do is all hosts on the same subnet use pfsense for DNS resolution of internal networks.  Clients in IP range A should use the ISPs DNS for external name resolution and clients in IP range B should use OpenDNS server for external name resolution.

Any ideas on how to accomplish that?

phil.davis

This is very close to what I am trying to accomplish.  HOWEVER, what I want to do is all hosts on the same subnet use pfsense for DNS resolution of internal networks.  Clients in IP range A should use the ISPs DNS for external name resolution and clients in IP range B should use OpenDNS server for external name resolution.

Any ideas on how to accomplish that?

If you use just 1 DNS Forwarder to do this, and it is caching normally, then a client that requests a name to the ISP will also have that name cached in the DNS Forwarder. Another client, that is supposed to use OpenDNS, may ask for that name and get it from the DNS Forwarder cache. That would be a loophole for the OpenDNS-required clients to get real answers, when they are (presumably) supposed to be filtered from nasty sites by OpenDNS.
If psSense had the features, I guess it would be technically possibly to make a 2nd virtual IP on LAN and run a 2nd DNS forwarder listening on the virtual IP, port 53. 1 DNS forwarder forwards to ISP, the other to OpenDNS. Both have the same domain overrides and/or host overrides to provide internal names.
Then DHCP pools could be setup handing out the appropriate DNS forwarder address to the appropriate clients.
Firewall rules can enforce this by allowing DNS from each pool to the corresponding DNS forwarder and not elsewhere.

Otherwise, you could run another DNS Forwarder on some other machine (even just another pfSense in a VM somewhere that does no routing, just provides DNS Forwarding to OpenDNS, with rules on LAN about what can access it.) Then your main pfSense can give out the DNS forwarder addresses to the pools like described above. (and allow the other DNS Forwarder through to OpenDNS…)

Sounds like a bit of fun to get working.

AirCooledTiger

@phil.davis:

This is very close to what I am trying to accomplish.  HOWEVER, what I want to do is all hosts on the same subnet use pfsense for DNS resolution of internal networks.  Clients in IP range A should use the ISPs DNS for external name resolution and clients in IP range B should use OpenDNS server for external name resolution.

Any ideas on how to accomplish that?

If you use just 1 DNS Forwarder to do this, and it is caching normally, then a client that requests a name to the ISP will also have that name cached in the DNS Forwarder. Another client, that is supposed to use OpenDNS, may ask for that name and get it from the DNS Forwarder cache. That would be a loophole for the OpenDNS-required clients to get real answers, when they are (presumably) supposed to be filtered from nasty sites by OpenDNS.
If psSense had the features, I guess it would be technically possibly to make a 2nd virtual IP on LAN and run a 2nd DNS forwarder listening on the virtual IP, port 53. 1 DNS forwarder forwards to ISP, the other to OpenDNS. Both have the same domain overrides and/or host overrides to provide internal names.
Then DHCP pools could be setup handing out the appropriate DNS forwarder address to the appropriate clients.
Firewall rules can enforce this by allowing DNS from each pool to the corresponding DNS forwarder and not elsewhere.

Otherwise, you could run another DNS Forwarder on some other machine (even just another pfSense in a VM somewhere that does no routing, just provides DNS Forwarding to OpenDNS, with rules on LAN about what can access it.) Then your main pfSense can give out the DNS forwarder addresses to the pools like described above. (and allow the other DNS Forwarder through to OpenDNS…)

Sounds like a bit of fun to get working.

Good points.  After thinking about this some more, I am considering upgrading to pfSense 2.1 so I can assign different DNS servers for the different clients using DHCP static mappings.

Unrestricted users will get assigned the pfSense resolver.  Restricted users will get DNS assigned from a 2nd server on which I will set up BIND on a Linux.  The intended configuration will send requests for the internal network to the pfSense resolver and to forward all other queries to OpenDNS.  In addition I will need to create a firewall rule to deny DNS queries from the restricted clients to port 53 outbound to prevent overriding the DNS.  I'd also need to block the internal restricted hosts from reaching the pfSense resolver directly from the internal LAN.

I will also use the DDNS feature to keep my WAN IP updated with my OpenDNS account.

Does anyone see any flaws in that logic?

kejianshi

Sounds good, although I doubt the OpenDNS guys would like to think of themselves being "inflicted" on hosts. 
I've been thinking to do something like this myself so that I can not "NEED" Dansguardian on most installs.
I like to keep firewalls as uncomplicated as possible.
If I can selectively apply DNS rules to clients and remove a process from my firewall I'm happy.

AirCooledTiger

@kejianshi:

Sounds good, although I doubt the OpenDNS guys would like to think of themselves being "inflicted" on hosts. 
I've been thinking to do something like this myself so that I can not "NEED" Dansguardian on most installs.
I like to keep firewalls as uncomplicated as possible.
If I can selectively apply DNS rules to clients and remove a process from my firewall I'm happy.

I got this working today.  Created a new VM running 2.1-RC0.  Imported config from the old VM.  Then I set up another Linux VM as the 2nd DNS server using BIND in a chroot jail.  Two forward zones: one for the internal network domain which forwards those requests to the pfSense resolver and another for "." pointing to the OpenDNS servers.

I logged into the OpenDNS control panel and set up the content filtering.  Then I set up a new DDNS profile in pfSense to update OpenDNS whenever the WAN IP changes.

Finally, I used the DHCP config options in 2.1 to set the 2nd server as the DNS for the hosts I wanted to filter.  I also tweaked the max TTL cache time on the 2nd DNS to 5 min.  That way when I need to whitelist a domain the users don't have to wait long for it to go into effect.

Now I just need to set up the firewall rules to prevent back doors and I'm done.