Different DNS on differents users



  • Hello everybody! I'm having this problem:

    In small domain I have a PFSense as firewall, 12 computers and a W2008 R2 server working as DC, FS, DNS.
    The owner of the company wants to restric the network for all the employees but not for he and the co-owners. So I decided to use OpenDNS
    I could configure and make it work. If I want a free computer I use as DNS the W2008 server ip that forwards to the internet provider DNS IPs, and if I want a restricted computer I use the OpenDNS DNSs.

    The problem is that if I configure the OpenDNS as primary and secundary in the clients PC, te computer can't resolve the local names.

    There is any way to make different users to use differents DNS Forwarders?
    I belive that it will be possible using the PFSense as DNS Server instead the W2008 server, but I don't know how configure the different DNS Forwarders

    Sorry for my bad english, I hope you can help me
    Thanks!


  • Banned

    Uhm… this is just broken, as you have already noticed.

    1/ Your AD-joined computers must point to AD-intergrated DNS servers.
    2/ You configure forwarders on those AD DNS servers.

    Configuring Windows servers is rather off-topic here.



  • You could make a DNS that ONLY resolves local address.  Use that everywhere as primary.  Then Also include OpenDNS as secondary for the ones you want blocked more.  And use google DNS 8.8.8.8 as secondary for the ones you want to be able see everything.

    Logically seems could work, but I've never tried such a thing.



  • There is no proper solution since all domain joined computers must use AD integrated DNS servers as their only DNS servers. You can set the forwarders on the AD DNS server to OpenDNS and in the firewall block all outgoing DNS from everyone except the AD DNS server to OpenDNS servers.

    You could then use PPPoE or a VPN to dial into pfSense from the LAN for unrestricted access. The PPPoE server on pfSense connection should be configured to use pfSense as the DNS server and in the pfSense DNS Forwarder forward queries for your domain to the AD integrated DNS server.


  • Banned

    @KurianOfBorg:

    There is no proper solution since all domain joined computers must use AD integrated DNS servers as their only DNS servers. You can set the forwarders on the AD DNS server to OpenDNS and in the firewall block all outgoing DNS from everyone except the AD DNS server to OpenDNS servers.

    Well, nothing prevents you from setting up multiple DHCP pools passing different DNS server options to clients, and having multiple AD-integrated DNS servers, one set pointing to OpenDNS, others to ISP's DNS servers as forwarders. However, configuring such things is really off-topic here.



  • The whole thing is pretty much moot since if any kind of packets are allowed to remote addresses on the Internet, you can tunnel through.



  • Thanks everybody for the answers

    @doktornotor:

    @KurianOfBorg:

    There is no proper solution since all domain joined computers must use AD integrated DNS servers as their only DNS servers. You can set the forwarders on the AD DNS server to OpenDNS and in the firewall block all outgoing DNS from everyone except the AD DNS server to OpenDNS servers.

    Well, nothing prevents you from setting up multiple DHCP pools passing different DNS server options to clients, and having multiple AD-integrated DNS servers, one set pointing to OpenDNS, others to ISP's DNS servers as forwarders. However, configuring such things is really off-topic here.

    Which will be to correct topic to ask that, or is that out from PFSense?


  • Banned

    @thekingarthas:

    Which will be to correct topic to ask that, or is that out from PFSense?

    Well, configuring Windows DHCP servers sounds really like "out from PFSense"  ;)



  • Sorry, I understood that the configuration it was for the PFSense

    Thanks all of you for your answers, i will try something I found and later post it here



  • Hope it works  ;D


Log in to reply