How to : use DHCP to distribute IPs and different DNS ?
-
Hello,
I use pFsense as my main DHCP server. It also handles a few fixed IPs for my son's iDevices with specific rules & schedules to limit their access.
Now, my kids are getting older and I would like to ban some internet access (porn, hack, etc…).
I was thinking about using "opendns" as main filter.Is there a way to :
- still distribute the generic internet provider DNS to my wife's pc and mine ...without any limitation
- distribute the "opendns" dns entry to my kids ?
Tx for your attention...& help :-)
-
You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool. Or vice-versa, whatever…
Unless you VLAN them off onto a separate network and block outbound DNS to everything but opendns a sharp one will figure out how to get around it.
-
You're right. I'll stay with the first proposal.
Tx -
You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool. Or vice-versa, whatever…
hi, for the same reason
I put DNS servers in static entries for kids devices ! :-\ , the clients did get DNS IPs (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries
other DHCP users get default DNS:
127.0.0.1
208.67.222.222
208.67.220.220
8.8.8.8
37.221.170.105my config :
Pfsense 2.1.5
DNS forwarder
DHCP active
Proxy filter SquidGuard >> which I want to uninstall it … cause no updates and NORTON dans much powerful !I also test without DNS forwarder
any idea?
BEST REGARDS -
hi, for the same reason
I put DNS servers in static entries for kids devices ! :-\ , the clients did get DNS IPs (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries
I've personally never seen a client ignore its DNS servers and arbitrarily use something else so I have no idea. Post up an ipconfig /all if it's windows or the equivalent if something else. If your OpenDNS servers are returning DNS you don't like you'll have to take it up with them.
other DHCP users get default DNS:
127.0.0.1
208.67.222.222
208.67.220.220
8.8.8.8
37.221.170.105Your clients should be being given pfSense as their DNS server. pfSense should have a couple external name servers to use to answer queries.
-
yes, it's strange case but that's whats happen
this is the ipconfig output , it's does take IP but useless ! the client simply get into the site ! note that client has static arp,ipC:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : WIN-OGD8IRJJE68 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : bisan.net Ethernet adapter Bluetooth Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network) Physical Address. . . . . . . . . : 00-1E-52-E9-22-8D DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : bisan.net Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-81-62-78 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::114f:265c:123d:4f5e%11(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.12(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Saturday, December 06, 2014 1:11:19 PM Lease Expires . . . . . . . . . . : Saturday, December 06, 2014 3:11:19 PM Default Gateway . . . . . . . . . : fe80::1:1%11 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 234884137 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-11-60-ED-00-0C-29-81-62-78 DNS Servers . . . . . . . . . . . : 199.85.126.20 199.85.127.20 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{4D448722-9269-4D9A-95BE-9D23A95EE4F8}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 13: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3481:554:3f57:fef3(Prefe rred) Link-local IPv6 Address . . . . . : fe80::3481:554:3f57:fef3%13(Preferred) Default Gateway . . . . . . . . . : :: NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter isatap.bisan.net: Connection-specific DNS Suffix . : bisan.net Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.12%16(Preferred) Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 199.85.126.20 199.85.127.20 NetBIOS over Tcpip. . . . . . . . : Disabled C:\> -
Sounds like a problem to be solved between you and openDNS. That or you're looking at cached results.
-
Those kids DNS addresses are actually for http://en.wikipedia.org/wiki/Norton_ConnectSafe - and from the WiKi they should work. I just did exactly what you are saying - static mapped an IP for one of my laptops with DNS servers (199.85.126.30 , 199.85.127.30) then started that laptop.
The laptop got those DNS servers. Then on that laptop browsed to playboy.com - it comes up with a Norton Connect Safe page saying "This website is not allowed."Clear all caches on the devices concerned, restart everything… What you are doing should work.
-
Hello,
I'm back on the (same) subject.1)Wouldn't it be possible to consider the "DNS forwarder" to achieve my goal ?
2) Or ….I could create a firewall rule for port 53 just for the fixed IPs of my kids (following this : https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers) ? -
Or… you could also think about something somewhat different like HTTP proxy + filtering ;) (i.e. squid + squidguard)
