Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Enforcing OpenDNS

    Scheduled Pinned Locked Moved Hardware
    9 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abasel
      last edited by

      The second rule (see attachement) is only meant to  allow DNS. However the moment I change the destination port from "*" to 53 (DNS), nothing resolves. Is there some other port that I need opened?
      Firewall.PNG
      Firewall.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Hmm, that should work. You will have nothing but DNS though.
        How are you testing? What is the exact result?

        Steve

        1 Reply Last reply Reply Quote 0
        • R
          rjcrowder
          last edited by

          @abasel:

          The second rule (see attachement) is only meant to  allow DNS. However the moment I change the destination port from "*" to 53 (DNS), nothing resolves. Is there some other port that I need opened?

          Not sure I understand what your rule is doing… I create a rule that specifically allows the LAN net outbound to OpenDNS server addresses and port 53 followed by another rule that blocks the LAN net to any address and port 53. Then set OpenDNS as the DNS servers for pfSense.

          1 Reply Last reply Reply Quote 0
          • A
            abasel
            last edited by

            I tried that but something was still wrong. Then I remembered that I still need open ports for Radius and the proxy so I added the following (see attachment but no joy).

            If I forget the fact that I want to enforce OpenDNS, what are the minimum ports that I need open to enable browsing? I thought it would just be the ones I have listed.

            DNS2.PNG
            DNS2.PNG_thumb

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              80 (http) and 443 (https) would help.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                abasel
                last edited by

                Yes.. embarrassing, did not notice that it was only enabled for the Lan..

                Ok so the following still does not work if I enable the DNS rules point to the OpenDNS ips and disable the allow all DNS rule just below, nothing browses.

                Firewall3.PNG_thumb
                Firewall3.PNG

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  It's almost certainly because the clients are using the pfSense DNS forwarder, which is at the LAN address, as assigned to them by the DHCP server.
                  You can either:
                  Change the DNS servers being sent to the clients in the DHCP server section to the OpenDNS IPs.
                  Or just add the OpenDNS IPs to the pfSense general setup and allow the clients to use the forwarder (which will then be using OpneDNS).

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • A
                    abasel
                    last edited by

                    Or just add the OpenDNS IPs to the pfSense general setup

                    I have always had the DNS setup to use OpenDNS, the part I am a little vague with is

                    and allow the clients to use the forwarder (which will then be using OpneDNS).

                    What do you mean but this/how is this done?

                    DNSSettings.PNG_thumb
                    DNSSettings.PNG

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      If you setup firewall rules on LAN to permit UDP/TCP to LAN address port 53, then set your pfSense to use OpenDNS servers then your LAN clients will not be able to use anything but pfSense to resolve names and pfSense will go to OpenDNS for anything it doesn't already know about.

                      Something like the attachments…

                      The DNS Servers are set in System->General Setup.

                      You enable the DNS forwarder in Services->DNS Forwarder

                      Then you restrict your clients to only the LAN address for DNS and only allow HTTP/HTTPS.

                      This is going to break all kinds of things but if you only want people to use OpenDNS for DNS and browse the web, this is how to do it.

                      ![Screen Shot 2014-08-22 at 11.22.00 PM.png](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.22.00 PM.png)
                      ![Screen Shot 2014-08-22 at 11.22.00 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.22.00 PM.png_thumb)
                      ![Screen Shot 2014-08-22 at 11.29.34 PM.png](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.29.34 PM.png)
                      ![Screen Shot 2014-08-22 at 11.29.34 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.29.34 PM.png_thumb)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.