Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenDNS for some users not for all? without vlan?

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 6 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SIPpyCup
      last edited by

      as I understand it I'll need to replace my unmanaged tplink switch before I can use vlan.  But that could be moot for all I don't know

      Can I inflict OpenDNS resolvers on some users and the default set for everyone else?  Hopefully I can inflict a set of resolvers instead of one so they can fall back on other resolvers blocking untowardly content, too.

       	2.0.3-RELEASE (i386)
      built on Fri Apr 12 10:22:21 EDT 2013
      FreeBSD 8.1-RELEASE-p13
      

      dell optiplex "Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz " 4 gigs of 4 max ram.  One 2 port Intel 1000 pci-e nic that was a shocking $57 'bulk' bargain on amazon.

      I was attracted to pfSense party because of resolver enforcement
      http://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers

      but predominately to avoid SIP ALG on ISP's router.

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        @SIPpyCup:

        Can I inflict OpenDNS resolvers on some users and the default set for everyone else?

        How do you decide which users get OpenDNS?

        1 Reply Last reply Reply Quote 0
        • R
          rjcrowder
          last edited by

          @SIPpyCup:

          Can I inflict OpenDNS resolvers on some users and the default set for everyone else?  Hopefully I can inflict a set of resolvers instead of one so they can fall back on other resolvers blocking untowardly content, too.

          Can be accomplished via firewall rules if:
          1.) you know the addresses of the machines that should not have to use OpenDNS
          2.) you don't mind configuring the "non OpenDNS" machines to use a different DNS server

          Steps to set it up:
          1.) Setup pfsense to use OpenDNS by default
          2.) Create rule to block all outbound access on port 53 to DNS servers other than OpenDNS.
          3.) Create another rule (before the block rule) that allows a range of internal IP addresses to hit any external IP address on port 53
          4.) Assign an IP address that is in the range defined in step 2 to the machines (by MAC) which are allowed to use any DNS server
          5.) Modify client config for machines allowed to hit non OpenDNS to use whatever DNS server you desire

          If you want to do this "automatically" - i.e. without changing the client to use a different DNS server, you might be able to create a rule that forwards outbound port 53 connections for a range of internal IP addresses to different DNS servers… I haven't tried to get this working though.

          1 Reply Last reply Reply Quote 0
          • S
            SIPpyCup
            last edited by

            thank you for your detailed reply.  I think my install was corrupted so I'll be installing fresh.  I'll apply your ruleset and let you know how it fares against devious teens.

            1 Reply Last reply Reply Quote 0
            • A
              AirCooledTiger
              last edited by

              @rjcrowder:

              @SIPpyCup:

              Can I inflict OpenDNS resolvers on some users and the default set for everyone else?  Hopefully I can inflict a set of resolvers instead of one so they can fall back on other resolvers blocking untowardly content, too.

              Can be accomplished via firewall rules if:
              1.) you know the addresses of the machines that should not have to use OpenDNS
              2.) you don't mind configuring the "non OpenDNS" machines to use a different DNS server

              Steps to set it up:
              1.) Setup pfsense to use OpenDNS by default
              2.) Create rule to block all outbound access on port 53 to DNS servers other than OpenDNS.
              3.) Create another rule (before the block rule) that allows a range of internal IP addresses to hit any external IP address on port 53
              4.) Assign an IP address that is in the range defined in step 2 to the machines (by MAC) which are allowed to use any DNS server
              5.) Modify client config for machines allowed to hit non OpenDNS to use whatever DNS server you desire

              If you want to do this "automatically" - i.e. without changing the client to use a different DNS server, you might be able to create a rule that forwards outbound port 53 connections for a range of internal IP addresses to different DNS servers… I haven't tried to get this working though.

              This is very close to what I am trying to accomplish.  HOWEVER, what I want to do is all hosts on the same subnet use pfsense for DNS resolution of internal networks.  Clients in IP range A should use the ISPs DNS for external name resolution and clients in IP range B should use OpenDNS server for external name resolution.

              Any ideas on how to accomplish that?

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                This is very close to what I am trying to accomplish.  HOWEVER, what I want to do is all hosts on the same subnet use pfsense for DNS resolution of internal networks.  Clients in IP range A should use the ISPs DNS for external name resolution and clients in IP range B should use OpenDNS server for external name resolution.

                Any ideas on how to accomplish that?

                If you use just 1 DNS Forwarder to do this, and it is caching normally, then a client that requests a name to the ISP will also have that name cached in the DNS Forwarder. Another client, that is supposed to use OpenDNS, may ask for that name and get it from the DNS Forwarder cache. That would be a loophole for the OpenDNS-required clients to get real answers, when they are (presumably) supposed to be filtered from nasty sites by OpenDNS.
                If psSense had the features, I guess it would be technically possibly to make a 2nd virtual IP on LAN and run a 2nd DNS forwarder listening on the virtual IP, port 53. 1 DNS forwarder forwards to ISP, the other to OpenDNS. Both have the same domain overrides and/or host overrides to provide internal names.
                Then DHCP pools could be setup handing out the appropriate DNS forwarder address to the appropriate clients.
                Firewall rules can enforce this by allowing DNS from each pool to the corresponding DNS forwarder and not elsewhere.

                Otherwise, you could run another DNS Forwarder on some other machine (even just another pfSense in a VM somewhere that does no routing, just provides DNS Forwarding to OpenDNS, with rules on LAN about what can access it.) Then your main pfSense can give out the DNS forwarder addresses to the pools like described above. (and allow the other DNS Forwarder through to OpenDNS…)

                Sounds like a bit of fun to get working.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • A
                  AirCooledTiger
                  last edited by

                  @phil.davis:

                  This is very close to what I am trying to accomplish.  HOWEVER, what I want to do is all hosts on the same subnet use pfsense for DNS resolution of internal networks.  Clients in IP range A should use the ISPs DNS for external name resolution and clients in IP range B should use OpenDNS server for external name resolution.

                  Any ideas on how to accomplish that?

                  If you use just 1 DNS Forwarder to do this, and it is caching normally, then a client that requests a name to the ISP will also have that name cached in the DNS Forwarder. Another client, that is supposed to use OpenDNS, may ask for that name and get it from the DNS Forwarder cache. That would be a loophole for the OpenDNS-required clients to get real answers, when they are (presumably) supposed to be filtered from nasty sites by OpenDNS.
                  If psSense had the features, I guess it would be technically possibly to make a 2nd virtual IP on LAN and run a 2nd DNS forwarder listening on the virtual IP, port 53. 1 DNS forwarder forwards to ISP, the other to OpenDNS. Both have the same domain overrides and/or host overrides to provide internal names.
                  Then DHCP pools could be setup handing out the appropriate DNS forwarder address to the appropriate clients.
                  Firewall rules can enforce this by allowing DNS from each pool to the corresponding DNS forwarder and not elsewhere.

                  Otherwise, you could run another DNS Forwarder on some other machine (even just another pfSense in a VM somewhere that does no routing, just provides DNS Forwarding to OpenDNS, with rules on LAN about what can access it.) Then your main pfSense can give out the DNS forwarder addresses to the pools like described above. (and allow the other DNS Forwarder through to OpenDNS…)

                  Sounds like a bit of fun to get working.

                  Good points.  After thinking about this some more, I am considering upgrading to pfSense 2.1 so I can assign different DNS servers for the different clients using DHCP static mappings.

                  Unrestricted users will get assigned the pfSense resolver.  Restricted users will get DNS assigned from a 2nd server on which I will set up BIND on a Linux.  The intended configuration will send requests for the internal network to the pfSense resolver and to forward all other queries to OpenDNS.  In addition I will need to create a firewall rule to deny DNS queries from the restricted clients to port 53 outbound to prevent overriding the DNS.  I'd also need to block the internal restricted hosts from reaching the pfSense resolver directly from the internal LAN.

                  I will also use the DDNS feature to keep my WAN IP updated with my OpenDNS account.

                  Does anyone see any flaws in that logic?

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    Sounds good, although I doubt the OpenDNS guys would like to think of themselves being "inflicted" on hosts. 
                    I've been thinking to do something like this myself so that I can not "NEED" Dansguardian on most installs.
                    I like to keep firewalls as uncomplicated as possible.
                    If I can selectively apply DNS rules to clients and remove a process from my firewall I'm happy.

                    1 Reply Last reply Reply Quote 0
                    • A
                      AirCooledTiger
                      last edited by

                      @kejianshi:

                      Sounds good, although I doubt the OpenDNS guys would like to think of themselves being "inflicted" on hosts. 
                      I've been thinking to do something like this myself so that I can not "NEED" Dansguardian on most installs.
                      I like to keep firewalls as uncomplicated as possible.
                      If I can selectively apply DNS rules to clients and remove a process from my firewall I'm happy.

                      I got this working today.  Created a new VM running 2.1-RC0.  Imported config from the old VM.  Then I set up another Linux VM as the 2nd DNS server using BIND in a chroot jail.  Two forward zones: one for the internal network domain which forwards those requests to the pfSense resolver and another for "." pointing to the OpenDNS servers.

                      I logged into the OpenDNS control panel and set up the content filtering.  Then I set up a new DDNS profile in pfSense to update OpenDNS whenever the WAN IP changes.

                      Finally, I used the DHCP config options in 2.1 to set the 2nd server as the DNS for the hosts I wanted to filter.  I also tweaked the max TTL cache time on the 2nd DNS to 5 min.  That way when I need to whitelist a domain the users don't have to wait long for it to go into effect.

                      Now I just need to set up the firewall rules to prevent back doors and I'm done.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.