Enforcing OpenDNS

abasel

The second rule (see attachement) is only meant to allow DNS. However the moment I change the destination port from "*" to 53 (DNS), nothing resolves. Is there some other port that I need opened?

Firewall.PNG_thumb

stephenw10

Hmm, that should work. You will have nothing but DNS though.
How are you testing? What is the exact result?

Steve

rjcrowder

@abasel:

The second rule (see attachement) is only meant to allow DNS. However the moment I change the destination port from "*" to 53 (DNS), nothing resolves. Is there some other port that I need opened?

Not sure I understand what your rule is doing… I create a rule that specifically allows the LAN net outbound to OpenDNS server addresses and port 53 followed by another rule that blocks the LAN net to any address and port 53. Then set OpenDNS as the DNS servers for pfSense.

abasel

I tried that but something was still wrong. Then I remembered that I still need open ports for Radius and the proxy so I added the following (see attachment but no joy).

If I forget the fact that I want to enforce OpenDNS, what are the minimum ports that I need open to enable browsing? I thought it would just be the ones I have listed.

DNS2.PNG_thumb

Derelict

80 (http) and 443 (https) would help.

abasel

Yes.. embarrassing, did not notice that it was only enabled for the Lan..

Ok so the following still does not work if I enable the DNS rules point to the OpenDNS ips and disable the allow all DNS rule just below, nothing browses.

Firewall3.PNG_thumb

stephenw10

It's almost certainly because the clients are using the pfSense DNS forwarder, which is at the LAN address, as assigned to them by the DHCP server.
You can either:
Change the DNS servers being sent to the clients in the DHCP server section to the OpenDNS IPs.
Or just add the OpenDNS IPs to the pfSense general setup and allow the clients to use the forwarder (which will then be using OpneDNS).

Steve

abasel

Or just add the OpenDNS IPs to the pfSense general setup

I have always had the DNS setup to use OpenDNS, the part I am a little vague with is

and allow the clients to use the forwarder (which will then be using OpneDNS).

What do you mean but this/how is this done?

DNSSettings.PNG_thumb

Derelict

If you setup firewall rules on LAN to permit UDP/TCP to LAN address port 53, then set your pfSense to use OpenDNS servers then your LAN clients will not be able to use anything but pfSense to resolve names and pfSense will go to OpenDNS for anything it doesn't already know about.

Something like the attachments…

The DNS Servers are set in System->General Setup.

You enable the DNS forwarder in Services->DNS Forwarder

Then you restrict your clients to only the LAN address for DNS and only allow HTTP/HTTPS.

This is going to break all kinds of things but if you only want people to use OpenDNS for DNS and browse the web, this is how to do it.

![Screen Shot 2014-08-22 at 11.22.00 PM.png](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.22.00 PM.png)
![Screen Shot 2014-08-22 at 11.22.00 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.22.00 PM.png_thumb)
![Screen Shot 2014-08-22 at 11.29.34 PM.png](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.29.34 PM.png)
![Screen Shot 2014-08-22 at 11.29.34 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.29.34 PM.png_thumb)