Route DNS for one client to specific DNS server



  • I am running pfSense 2.1 on my LAN. I have a device on the network that I'd like to be able to swap the DNS server for at will using pfSense. If I use DNS forwarding is there any way to get pfSense to detect that a specific device is requesting a DNS lookup and route it to a specific DNS server?

    If I only wanted that device to always use a single DNS server I could just set it up that way and avoid using pfSense DNS forwarding, but the device in question is difficult to set the DNS server for, and it is important that I be able to swap out the DNS server used at will FROM ANOTHER DEVICE ON THE NETWORK.

    I'm not sure I have done a good job of explaining what I am trying to do, but does anybody know if anything like this is possible with pfSense?


  • Rebel Alliance Global Moderator

    Why does it need to do this?  Why can you not just setup a domain forward that if looking ot domainx.tld go ask nameserver 1.2.3.4?



  • Because I only want that single device to be affected. When I set up a domain override it works, but then every device on the network will use that DNS server for the specified domain. What I need is a domain override that only affects specified devices on the LAN.

    @johnpoz:

    Why does it need to do this?  Why can you not just setup a domain forward that if looking ot domainx.tld go ask nameserver 1.2.3.4?


  • Rebel Alliance Global Moderator

    Still not understanding the reason?  If domain X should be resolved using Namesever Y because the normal default nameservers do not resolve it - what does it matter if machines x y z use it?  I don't understand what your trying to prevent or block?

    But lets say you have xyzdoman that resolves via nameserver ns.abc.tld ip address 1.2.3.4 that you put in an over ride for.  But you only want machine efg from being able to resolve it - then put in a firewall rule that says only machines efg IP address can got to ns.abc.tld at ip addrss 1.2.3.4

    But love to understand why you think this is required in the first place?

    If machine abc needs to use the specific nameserver why can machines x y and z not use it too?



  • Not sure why the reason makes any difference to coming up with a solution, but here's the scenario:

    Among many other devices on my home network I have several that can connect to NetFlix.

    • Samsung Smart TV

    • WD TV Live box

    • Several iPhone and BlackBerry 10 smartphones

    I am using a locale unblocker that lets me connect to NetFlix USA rather than the Canadian site I normally get. I want to be able to switch back and forth between NetFlix Canada and USA at will since each has content not available on the other, but both the Samsung TV and WD TV Live make it hard and time-consuming to change the DNS to use the unblocker or ISP DNS servers, and doing so on the smartphones is nearly impossible (although it is easier on a rooted Android device.) For these reasons it is much easier to set up pfSense with domain overrides for netflix.com and netflix.net. This way any device connecting to NetFlix via pfSense domain forwarding will get the USA version instead of the Canadian one.

    The problem is that if someone wants to watch a US show on the Samsung, and a Canadian one on the WD TV Live or a smartphone, you can't since domain overrides affect ALL clients using DNS forwarding, so all NetFlix clients on the network will see the USA site, or all will see the Canadian site.

    What I want is to be able to have one set of domain overrides that only affect the Samsung, and another that only affects the WD TV Live, and a third that applies to all the rest of the devices that might connect to the LAN. That way I can enable or disable each override pair as needed to switch between US and Canadian NetFlix on a per-device basis.

    Clear now?



  • It isn't exactly easy to switch back and forth quickly still though? I use a VPS VPN to do this on my PC and phone.


  • Rebel Alliance Global Moderator

    "Not sure why the reason makes any difference to coming up with a solution, but here's the scenario:"

    The reason is more of fully understanding what your goal is vs just what you believe is the solution so that you can attack the problem from other points of view.  Understanding actual "reason" for what your trying to accomplish gives everyone more understanding of the problem to maybe point out that its just the wrong way to accomplish the goal, etc.

    So now that I understand your problem I would say the way to do it would be an actual forward/nat where you have the source IP and direct their dns query no matter where its going to where you want.  You could have rules for all your devices, different rules pointing them to whatever dns you want - and then just enable/disable the rules as needed

    example - see attached

    This way does not matter what the device gets from dhcp, does not matter what domain they are looking for, you point their dns where ever you want.  The only thing that might be a problem is local cache on the device, etc.  But a reboot/clear might be easier than changing their dns on the device, etc.




  • There is going to be an inherently difficult issue with using a single caching DNS forwarder/resolver to do this. I cam imagine real situations like this in a multi-office complex with shared internet.
    Company1 on LAN1 want to use OpenDNS servers, because they are doing some name-content filtering for Company1
    Company2 on LAN2 want to use DynDNS servers, because they are doing some different name-content filtering for Company2
    Company3 on LAN3 want to use Google servers, they don't want an filtering…

    The trouble is that the DNS forwarder would have to keep track of which names in its cache had been resolved for which group (LAN subnet) of clients, as well as making upstream requests to the right name server based on the requesting client. There is just nothing like this in dnsmasq.

    You could allocate them static IPs in DHCP and with each of those give directly the outside DNS servers you want them to use. Then you can change that entry in DHCP server, and then disconnect/reconnect the device, so it changes its DNS servers.



  • and it will be nice when these content providers get with the modern world - the internet is everywhere, content should no longer be licensed by country/region/continent… If someone provides free content, then provide it to the world. If it is paid content, then allow the person who has paid (has a password/authentication token...) to access the content from anywhere in the world.
    This is just so silly having people signing up for VPN connections to/from all combinations of countries just so they can appear to come from some other country and thus get access to the content they want!!!



  • I use a VPN to access BBC iPlayer content from my PCs, but this is not possible from my Samsung TV or WD TV Live unit. I could do it with pfSense, but then again I run into the problem of every device on the LAN being routed through the VPN when I only want one to be.

    @bryan.paradis:

    It isn't exactly easy to switch back and forth quickly still though? I use a VPS VPN to do this on my PC and phone.


  • Rebel Alliance Global Moderator

    If pfsense makes the vpn connection, just use policy based routing to route your different devices either down the vpn or out your normal connection.



  • I actually considered routing all DNS from the desired devices to the DNS server of my choice but this would introduce a new problem. When you use a DNS unblocker service you are taking a gamble the provider won't play fast and loose with your lookup requests. If all DNS requests go through the unblocker then you are open to malicious behaviour. Using pfSense domain overrides prevents this since the unblocker DNS is only used for the specified domains. When you connect to your online banking site, for instance, you use your regular DNS, which is much safer. For this reason forwarding all DNS from a specified source IP address is risky.

    What I really would like is to be able to specify domain overrides that are tied to specific source IP addresses. I tried using the "Source IP" field when setting up the domain overrides (I know it is not designed for this but I thought it might work), but pfSense won't let me enter a local IP address.

    @johnpoz:

    "Not sure why the reason makes any difference to coming up with a solution, but here's the scenario:"

    The reason is more of fully understanding what your goal is vs just what you believe is the solution so that you can attack the problem from other points of view.  Understanding actual "reason" for what your trying to accomplish gives everyone more understanding of the problem to maybe point out that its just the wrong way to accomplish the goal, etc.

    So now that I understand your problem I would say the way to do it would be an actual forward/nat where you have the source IP and direct their dns query no matter where its going to where you want.  You could have rules for all your devices, different rules pointing them to whatever dns you want - and then just enable/disable the rules as needed

    example - see attached

    This way does not matter what the device gets from dhcp, does not matter what domain they are looking for, you point their dns where ever you want.  The only thing that might be a problem is local cache on the device, etc.  But a reboot/clear might be easier than changing their dns on the device, etc.



  • Interesting thought, not sure how to do this with pfSense though. I have OpenVPN set up for incoming connections to my LAN and I have a client set up on my laptop to connect to it, but I've never done outgoing connections from pfSense, nor set up policies like you suggest.

    @johnpoz:

    If pfsense makes the vpn connection, just use policy based routing to route your different devices either down the vpn or out your normal connection.



  • Agreed, but I think part of it is that different contries/regions have different copyright laws. I'm no fan of Big Content, but in their defence in this particular case releasing media operating under Euro copyright law in the US, for instance, may terminate copyright protection for that content in the US. Even though the impediments can be sidestepped via VPN or unblocker DNS, the fact that the content companies at least show the effort to prevent unauthorized consumption of media licensed for another market allows them to maintain copyright protections in all regions.

    Still… very annoying for sure.

    @phil.davis:

    and it will be nice when these content providers get with the modern world - the internet is everywhere, content should no longer be licensed by country/region/continent… If someone provides free content, then provide it to the world. If it is paid content, then allow the person who has paid (has a password/authentication token...) to access the content from anywhere in the world.
    This is just so silly having people signing up for VPN connections to/from all combinations of countries just so they can appear to come from some other country and thus get access to the content they want!!!



  • @Slartibartfast:

    I use a VPN to access BBC iPlayer content from my PCs, but this is not possible from my Samsung TV or WD TV Live unit. I could do it with pfSense, but then again I run into the problem of every device on the LAN being routed through the VPN when I only want one to be.

    @bryan.paradis:

    It isn't exactly easy to switch back and forth quickly still though? I use a VPS VPN to do this on my PC and phone.

    If you wanted quick and simple for others to change as well you could do something like run a switch off one interface with a second dnsmasq process that shoves all traffic to the other dns. just replug cables to switch haha



  • Both your issues, 1) having a VPN for getting content from other regions affecting general browsing, and 2) fearing that the site-wide change of DNS opens you up to security issues, inspired me to find a better solution. Turns out, they can both be solved using a feature in dnsmasq not readily exposed in the pfSense UI. By using the field Services | DNS Forwarder | Advanced and specifying for example

    server=/netflix.com/208.122.23.23
    server=/netflix.net/208.122.23.23
    

    then only requests for *.netflix.com/net goes to the "rogue" DNS provider (example shows IP of DNS for unblock-us.com)

    See http://www.gundersen.net/american-netflix-on-ipad-and-chromecast-without-vpn-using-pfsense/ for more thorough details.



  • And I think that should work by putting those in Domain Overrides - it makes essentially the same "server=" command parameter to dnsmasq in the code underneath.



  • While the dnsmasq startup log gives the same message (using nameserver xxxx for domain yyyy.com) for both alternatives (server=/… in advanced, and using domain override), the documentation does not mention any wildcard functionality and seems to indicate that domain override is for the specific domain only. It would be great to be able to clarify this in the docs. How can we see exactly what startup parameters the domain override adds to dnsmasq?



  • The dnsmasq parameters are all put on the command line, no conf file is written. I guess it would be nicer to write a conf file and use that? But someone has to care enough to code it :)
    The whole command can be seen with:

    ps auxww | grep dns
    

    The GUI has this explanation text:

    Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain

    It actually means that requests for any names inside this domain (i.e. host names in the domain and any subdomain) are sent to the specified DNS server.
    Suggest some improved words to go here and there would be no problem changing that text.



  • You are absolutely right, the -server= entries are exactly the same. How would I go about getting the docs and label of in pfSense clarified. Post a bug report?

    1. Docs: https://doc.pfsense.org/index.php/DNS_Forwarder

    New paragraph just before "On pfSense 2.1, Host Overrides work for both IPv4 and IPv6 addresses." (using myspace.com as example since this page already uses this domain for another example)

    "Domain overrides have an implicit wildcard before the domain. An entry for myspace.com will also override all subdomains of myspace.com."

    1. GUI: http://10.0.0.1/services_dnsmasq.php

    Change label "Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain." to "Entries in this area override an entire domain, and subdomains, by specifying an authoritative DNS server to be queried for that domain."

    I have also updated my blog post http://www.gundersen.net/american-netflix-on-ipad-and-chromecast-without-vpn-using-pfsense/



  • If you are happy to start learning how to contribute minor code changes, then make an account on https://github.com/pfsense
    On GitHUb, drill down to /usr/local/www/services_dnsmasq.php
    Click on Edit, it makes a fork/branch for you.
    Make the change to the file, put subject and comments and Commit".
    Press the button to make a Pull Request.
    It will be reviewed by the devs, and hopefully accepted - your minor enhancement to the explanation seems a reasonable thing to me.



  • Thanks, I've done so for the code part, but what about the docs?