Enforcing OpenDNS



  • The second rule (see attachement) is only meant to  allow DNS. However the moment I change the destination port from "*" to 53 (DNS), nothing resolves. Is there some other port that I need opened?


  • Netgate Administrator

    Hmm, that should work. You will have nothing but DNS though.
    How are you testing? What is the exact result?

    Steve



  • @abasel:

    The second rule (see attachement) is only meant to  allow DNS. However the moment I change the destination port from "*" to 53 (DNS), nothing resolves. Is there some other port that I need opened?

    Not sure I understand what your rule is doing… I create a rule that specifically allows the LAN net outbound to OpenDNS server addresses and port 53 followed by another rule that blocks the LAN net to any address and port 53. Then set OpenDNS as the DNS servers for pfSense.



  • I tried that but something was still wrong. Then I remembered that I still need open ports for Radius and the proxy so I added the following (see attachment but no joy).

    If I forget the fact that I want to enforce OpenDNS, what are the minimum ports that I need open to enable browsing? I thought it would just be the ones I have listed.



  • Netgate

    80 (http) and 443 (https) would help.



  • Yes.. embarrassing, did not notice that it was only enabled for the Lan..

    Ok so the following still does not work if I enable the DNS rules point to the OpenDNS ips and disable the allow all DNS rule just below, nothing browses.



  • Netgate Administrator

    It's almost certainly because the clients are using the pfSense DNS forwarder, which is at the LAN address, as assigned to them by the DHCP server.
    You can either:
    Change the DNS servers being sent to the clients in the DHCP server section to the OpenDNS IPs.
    Or just add the OpenDNS IPs to the pfSense general setup and allow the clients to use the forwarder (which will then be using OpneDNS).

    Steve



  • Or just add the OpenDNS IPs to the pfSense general setup

    I have always had the DNS setup to use OpenDNS, the part I am a little vague with is

    and allow the clients to use the forwarder (which will then be using OpneDNS).

    What do you mean but this/how is this done?



  • Netgate

    If you setup firewall rules on LAN to permit UDP/TCP to LAN address port 53, then set your pfSense to use OpenDNS servers then your LAN clients will not be able to use anything but pfSense to resolve names and pfSense will go to OpenDNS for anything it doesn't already know about.

    Something like the attachments…

    The DNS Servers are set in System->General Setup.

    You enable the DNS forwarder in Services->DNS Forwarder

    Then you restrict your clients to only the LAN address for DNS and only allow HTTP/HTTPS.

    This is going to break all kinds of things but if you only want people to use OpenDNS for DNS and browse the web, this is how to do it.

    ![Screen Shot 2014-08-22 at 11.22.00 PM.png](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.22.00 PM.png)
    ![Screen Shot 2014-08-22 at 11.22.00 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.22.00 PM.png_thumb)
    ![Screen Shot 2014-08-22 at 11.29.34 PM.png](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.29.34 PM.png)
    ![Screen Shot 2014-08-22 at 11.29.34 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-22 at 11.29.34 PM.png_thumb)