How to : use DHCP to distribute IPs and different DNS ?



  • Hello,

    I use pFsense as my main DHCP server. It also handles a few fixed IPs for my son's iDevices with specific rules & schedules to limit their access.

    Now, my kids are getting older and I would like to ban some internet access (porn, hack, etc…).
    I was thinking about using "opendns" as main filter.

    Is there a way to :

    • still distribute the generic internet provider DNS to my wife's pc and mine ...without any limitation
    • distribute the "opendns" dns entry to my kids ?

    Tx for your attention...& help :-)


  • LAYER 8 Netgate

    You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool.  Or vice-versa, whatever…

    Unless you VLAN them off onto a separate network and block outbound DNS to everything but opendns a sharp one will figure out how to get around it.



  • You're right. I'll stay with the first proposal.
    Tx



  • @Derelict:

    You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool.  Or vice-versa, whatever…

    hi, for the same reason

    I put DNS servers in static entries for kids devices !  :-\ , the clients did get DNS IPs  (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries

    other DHCP users get default DNS:
    127.0.0.1
    208.67.222.222
    208.67.220.220
    8.8.8.8
    37.221.170.105

    my config :
    Pfsense 2.1.5
    DNS forwarder
    DHCP active
    Proxy filter SquidGuard >> which I want to uninstall it … cause no updates and NORTON dans much powerful !

    I also test without DNS forwarder

    any idea?
    BEST REGARDS


  • LAYER 8 Netgate

    @ajeeb:

    hi, for the same reason

    I put DNS servers in static entries for kids devices !  :-\ , the clients did get DNS IPs  (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries

    I've personally never seen a client ignore its DNS servers and arbitrarily use something else so I have no idea.  Post up an ipconfig /all if it's windows or the equivalent if something else.  If your OpenDNS servers are returning DNS you don't like you'll have to take it up with them.

    other DHCP users get default DNS:
    127.0.0.1
    208.67.222.222
    208.67.220.220
    8.8.8.8
    37.221.170.105

    Your clients should be being given pfSense as their DNS server.  pfSense should have a couple external name servers to use to answer queries.



  • yes, it's strange case but that's whats happen
    this is the ipconfig output , it's does take IP but useless ! the client simply get into the site ! note that client has static arp,ip

    
    C:\>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : WIN-OGD8IRJJE68
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Broadcast
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : bisan.net
    
    Ethernet adapter Bluetooth Network Connection:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physical Address. . . . . . . . . : 00-1E-52-E9-22-8D
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    
    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . : bisan.net
       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
       Physical Address. . . . . . . . . : 00-0C-29-81-62-78
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::114f:265c:123d:4f5e%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.12(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Saturday, December 06, 2014 1:11:19 PM
       Lease Expires . . . . . . . . . . : Saturday, December 06, 2014 3:11:19 PM
       Default Gateway . . . . . . . . . : fe80::1:1%11
                                           192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 234884137
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-11-60-ED-00-0C-29-81-62-78
    
       DNS Servers . . . . . . . . . . . : 199.85.126.20
                                           199.85.127.20
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{4D448722-9269-4D9A-95BE-9D23A95EE4F8}:
    
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    
    Tunnel adapter Local Area Connection* 13:
    
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3481:554:3f57:fef3(Prefe
    rred)
       Link-local IPv6 Address . . . . . : fe80::3481:554:3f57:fef3%13(Preferred)
       Default Gateway . . . . . . . . . : ::
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    Tunnel adapter isatap.bisan.net:
    
       Connection-specific DNS Suffix  . : bisan.net
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.12%16(Preferred)
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 199.85.126.20
                                           199.85.127.20
       NetBIOS over Tcpip. . . . . . . . : Disabled
    
    C:\>
    
    

  • LAYER 8 Netgate

    Sounds like a problem to be solved between you and openDNS.  That or you're looking at cached results.



  • Those kids DNS addresses are actually for http://en.wikipedia.org/wiki/Norton_ConnectSafe - and from the WiKi they should work. I just did exactly what you are saying - static mapped an IP for one of my laptops with DNS servers (199.85.126.30 , 199.85.127.30) then started that laptop.
    The laptop got those DNS servers. Then on that laptop browsed to playboy.com - it comes up with a Norton Connect Safe page saying "This website is not allowed."

    Clear all caches on the devices concerned, restart everything… What you are doing should work.



  • Hello,
    I'm back on the (same) subject.

    1)Wouldn't it be possible to consider the "DNS forwarder" to achieve my goal ?
    2) Or ….I could create a firewall rule for port 53 just for the fixed IPs of my kids (following this : https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers) ?



  • Or… you could also think about something somewhat different like HTTP proxy + filtering  ;)  (i.e. squid + squidguard)


Log in to reply