4. How to : use DHCP to distribute IPs and different DNS ?

How to : use DHCP to distribute IPs and different DNS ?

  • C

    Hello,

    I use pFsense as my main DHCP server. It also handles a few fixed IPs for my son's iDevices with specific rules & schedules to limit their access.

    Now, my kids are getting older and I would like to ban some internet access (porn, hack, etc…).
    I was thinking about using "opendns" as main filter.

    Is there a way to :

    • still distribute the generic internet provider DNS to my wife's pc and mine ...without any limitation
    • distribute the "opendns" dns entry to my kids ?

    Tx for your attention...& help :-)

    0
  • LAYER 8 Netgate

    You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool.  Or vice-versa, whatever…

    Unless you VLAN them off onto a separate network and block outbound DNS to everything but opendns a sharp one will figure out how to get around it.

    0
  • C

    You're right. I'll stay with the first proposal.
    Tx

    0
  • A

    @Derelict:

    You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool.  Or vice-versa, whatever…

    hi, for the same reason

    I put DNS servers in static entries for kids devices !  :-\ , the clients did get DNS IPs  (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries

    other DHCP users get default DNS:
    127.0.0.1
    208.67.222.222
    208.67.220.220
    8.8.8.8
    37.221.170.105

    my config :
    Pfsense 2.1.5
    DNS forwarder
    DHCP active
    Proxy filter SquidGuard >> which I want to uninstall it … cause no updates and NORTON dans much powerful !

    I also test without DNS forwarder

    any idea?
    BEST REGARDS

    0
  • LAYER 8 Netgate

    @ajeeb:

    hi, for the same reason

    I put DNS servers in static entries for kids devices !  :-\ , the clients did get DNS IPs  (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries

    I've personally never seen a client ignore its DNS servers and arbitrarily use something else so I have no idea.  Post up an ipconfig /all if it's windows or the equivalent if something else.  If your OpenDNS servers are returning DNS you don't like you'll have to take it up with them.

    other DHCP users get default DNS:
    127.0.0.1
    208.67.222.222
    208.67.220.220
    8.8.8.8
    37.221.170.105

    Your clients should be being given pfSense as their DNS server.  pfSense should have a couple external name servers to use to answer queries.

    0
  • A

    yes, it's strange case but that's whats happen
    this is the ipconfig output , it's does take IP but useless ! the client simply get into the site ! note that client has static arp,ip

    
C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-OGD8IRJJE68
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : bisan.net

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 00-1E-52-E9-22-8D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : bisan.net
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0C-29-81-62-78
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::114f:265c:123d:4f5e%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.12(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Saturday, December 06, 2014 1:11:19 PM
   Lease Expires . . . . . . . . . . : Saturday, December 06, 2014 3:11:19 PM
   Default Gateway . . . . . . . . . : fe80::1:1%11
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-11-60-ED-00-0C-29-81-62-78

   DNS Servers . . . . . . . . . . . : 199.85.126.20
                                       199.85.127.20
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{4D448722-9269-4D9A-95BE-9D23A95EE4F8}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3481:554:3f57:fef3(Prefe
rred)
   Link-local IPv6 Address . . . . . : fe80::3481:554:3f57:fef3%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.bisan.net:

   Connection-specific DNS Suffix  . : bisan.net
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.12%16(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 199.85.126.20
                                       199.85.127.20
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\>
    0
  • LAYER 8 Netgate

    Sounds like a problem to be solved between you and openDNS.  That or you're looking at cached results.

    0
  • P

    Those kids DNS addresses are actually for http://en.wikipedia.org/wiki/Norton_ConnectSafe - and from the WiKi they should work. I just did exactly what you are saying - static mapped an IP for one of my laptops with DNS servers (199.85.126.30 , 199.85.127.30) then started that laptop.
    The laptop got those DNS servers. Then on that laptop browsed to playboy.com - it comes up with a Norton Connect Safe page saying "This website is not allowed."

    Clear all caches on the devices concerned, restart everything… What you are doing should work.

    0
  • C

    Hello,
    I'm back on the (same) subject.

    1)Wouldn't it be possible to consider the "DNS forwarder" to achieve my goal ?
    2) Or ….I could create a firewall rule for port 53 just for the fixed IPs of my kids (following this : https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers) ?

    0
  • C

    Or… you could also think about something somewhat different like HTTP proxy + filtering  ;)  (i.e. squid + squidguard)

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy