Use two different DNS for different kind of user



  • Hallo I'm a pfSense newbie,
    I'm setting up my pfsense box to manage my company network.

    One of the request is to filter web user contents. In the past I used Dansguardian but it is quite slow and demanding.
    We are trying to us OpenDNS service that's working fine and it is fast.

    Problem is we got users to be filtered other users that should be unfiltered.

    We managed the DNS Forwarder to resolve the local hosts by the DHCP leases or host overrides.
    We blocked from the firewall the DNS queries from the LAN to external DNS servers except OpenDNS for security reasons.
    We set up an alias for the unblocked group and we wanted to set up a firewall rule that forward DNS queries to the WAN to an alternative DNS address.

    We are not able to set up rules to do this trick.

    Can you help us or give some tip to use other methods?

    Many thanks from Tuscany.

    Ciao



  • I will assume that most users are to be filtered, and the unfiltered ones are a smaller number. You could:
    a) Setup the OpenDNS servers for pfSense generally as you have already, to send DNS to OpenDNS, and have block rules preventing users reaching other DNS servers.
    b) Add static-mapped IP addresses in DHCP for the unfiltered users. Put them in a nice sub-range of your LAN (e.g. LAN 10.20.0.0/16 - and put all unfiltered in 10.20.254.0/16.
    c) Make an Alias for that range of static-mapped LAN IPs (e.g. call it "UnfilteredLANips")
    d) Make an Alias for the DNS servers you want to allow for unfiltered DNS (e.g. call it "UnfilteredDNSips")
    e) On those static mapped entries, specify the unfiltered DNS servers (e.g. 8.8.8.8 and 8.8.4.4)
    d) Add a firewall rule, pass protocol TCP+UDP, source UnfilteredLANips, destination UnfilteredDSNips, port 53 (DNS)

    Of course, smart users who know and have admin access on their device can set their IP in the UnfilteredLANips range - but I think that applies to all the solutions. Even if you make a solution that is really MAC-address-based, people can spoof their MAC address.

    The unfortunate part of this implementation is that you have to repeat pasting the same DNS server IPs into every static mapping entry.