Route DNS for one client to specific DNS server
-
Interesting thought, not sure how to do this with pfSense though. I have OpenVPN set up for incoming connections to my LAN and I have a client set up on my laptop to connect to it, but I've never done outgoing connections from pfSense, nor set up policies like you suggest.
If pfsense makes the vpn connection, just use policy based routing to route your different devices either down the vpn or out your normal connection.
-
Agreed, but I think part of it is that different contries/regions have different copyright laws. I'm no fan of Big Content, but in their defence in this particular case releasing media operating under Euro copyright law in the US, for instance, may terminate copyright protection for that content in the US. Even though the impediments can be sidestepped via VPN or unblocker DNS, the fact that the content companies at least show the effort to prevent unauthorized consumption of media licensed for another market allows them to maintain copyright protections in all regions.
Still… very annoying for sure.
and it will be nice when these content providers get with the modern world - the internet is everywhere, content should no longer be licensed by country/region/continent… If someone provides free content, then provide it to the world. If it is paid content, then allow the person who has paid (has a password/authentication token...) to access the content from anywhere in the world.
This is just so silly having people signing up for VPN connections to/from all combinations of countries just so they can appear to come from some other country and thus get access to the content they want!!! -
I use a VPN to access BBC iPlayer content from my PCs, but this is not possible from my Samsung TV or WD TV Live unit. I could do it with pfSense, but then again I run into the problem of every device on the LAN being routed through the VPN when I only want one to be.
It isn't exactly easy to switch back and forth quickly still though? I use a VPS VPN to do this on my PC and phone.
If you wanted quick and simple for others to change as well you could do something like run a switch off one interface with a second dnsmasq process that shoves all traffic to the other dns. just replug cables to switch haha
-
Both your issues, 1) having a VPN for getting content from other regions affecting general browsing, and 2) fearing that the site-wide change of DNS opens you up to security issues, inspired me to find a better solution. Turns out, they can both be solved using a feature in dnsmasq not readily exposed in the pfSense UI. By using the field Services | DNS Forwarder | Advanced and specifying for example
server=/netflix.com/208.122.23.23 server=/netflix.net/208.122.23.23then only requests for *.netflix.com/net goes to the "rogue" DNS provider (example shows IP of DNS for unblock-us.com)
See http://www.gundersen.net/american-netflix-on-ipad-and-chromecast-without-vpn-using-pfsense/ for more thorough details.
-
And I think that should work by putting those in Domain Overrides - it makes essentially the same "server=" command parameter to dnsmasq in the code underneath.
-
While the dnsmasq startup log gives the same message (using nameserver xxxx for domain yyyy.com) for both alternatives (server=/… in advanced, and using domain override), the documentation does not mention any wildcard functionality and seems to indicate that domain override is for the specific domain only. It would be great to be able to clarify this in the docs. How can we see exactly what startup parameters the domain override adds to dnsmasq?
-
The dnsmasq parameters are all put on the command line, no conf file is written. I guess it would be nicer to write a conf file and use that? But someone has to care enough to code it :)
The whole command can be seen with:ps auxww | grep dnsThe GUI has this explanation text:
Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain
It actually means that requests for any names inside this domain (i.e. host names in the domain and any subdomain) are sent to the specified DNS server.
Suggest some improved words to go here and there would be no problem changing that text. -
You are absolutely right, the -server= entries are exactly the same. How would I go about getting the docs and label of in pfSense clarified. Post a bug report?
- Docs: https://doc.pfsense.org/index.php/DNS_Forwarder
New paragraph just before "On pfSense 2.1, Host Overrides work for both IPv4 and IPv6 addresses." (using myspace.com as example since this page already uses this domain for another example)
"Domain overrides have an implicit wildcard before the domain. An entry for myspace.com will also override all subdomains of myspace.com."
- GUI: http://10.0.0.1/services_dnsmasq.php
Change label "Entries in this area override an entire domain by specifying an authoritative DNS server to be queried for that domain." to "Entries in this area override an entire domain, and subdomains, by specifying an authoritative DNS server to be queried for that domain."
I have also updated my blog post http://www.gundersen.net/american-netflix-on-ipad-and-chromecast-without-vpn-using-pfsense/
-
If you are happy to start learning how to contribute minor code changes, then make an account on https://github.com/pfsense
On GitHUb, drill down to /usr/local/www/services_dnsmasq.php
Click on Edit, it makes a fork/branch for you.
Make the change to the file, put subject and comments and Commit".
Press the button to make a Pull Request.
It will be reviewed by the devs, and hopefully accepted - your minor enhancement to the explanation seems a reasonable thing to me. -
Thanks, I've done so for the code part, but what about the docs?