Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to : use DHCP to distribute IPs and different DNS ?

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 5 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chercheur
      last edited by

      Hello,

      I use pFsense as my main DHCP server. It also handles a few fixed IPs for my son's iDevices with specific rules & schedules to limit their access.

      Now, my kids are getting older and I would like to ban some internet access (porn, hack, etc…).
      I was thinking about using "opendns" as main filter.

      Is there a way to :

      • still distribute the generic internet provider DNS to my wife's pc and mine ...without any limitation
      • distribute the "opendns" dns entry to my kids ?

      Tx for your attention...& help :-)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool.  Or vice-versa, whatever…

        Unless you VLAN them off onto a separate network and block outbound DNS to everything but opendns a sharp one will figure out how to get around it.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          chercheur
          last edited by

          You're right. I'll stay with the first proposal.
          Tx

          1 Reply Last reply Reply Quote 0
          • A
            ajeeb
            last edited by

            @Derelict:

            You can put DNS servers in static entries for the devices you want unrestricted and opendns servers in for the pool.  Or vice-versa, whatever…

            hi, for the same reason

            I put DNS servers in static entries for kids devices !  :-\ , the clients did get DNS IPs  (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries

            other DHCP users get default DNS:
            127.0.0.1
            208.67.222.222
            208.67.220.220
            8.8.8.8
            37.221.170.105

            my config :
            Pfsense 2.1.5
            DNS forwarder
            DHCP active
            Proxy filter SquidGuard >> which I want to uninstall it … cause no updates and NORTON dans much powerful !

            I also test without DNS forwarder

            any idea?
            BEST REGARDS

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              @ajeeb:

              hi, for the same reason

              I put DNS servers in static entries for kids devices !  :-\ , the clients did get DNS IPs  (199.85.126.30 , 199.85.127.30) , but when surf to porn to test it's pass thought and simply ignore DNS entries

              I've personally never seen a client ignore its DNS servers and arbitrarily use something else so I have no idea.  Post up an ipconfig /all if it's windows or the equivalent if something else.  If your OpenDNS servers are returning DNS you don't like you'll have to take it up with them.

              other DHCP users get default DNS:
              127.0.0.1
              208.67.222.222
              208.67.220.220
              8.8.8.8
              37.221.170.105

              Your clients should be being given pfSense as their DNS server.  pfSense should have a couple external name servers to use to answer queries.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                ajeeb
                last edited by

                yes, it's strange case but that's whats happen
                this is the ipconfig output , it's does take IP but useless ! the client simply get into the site ! note that client has static arp,ip

                
                C:\>ipconfig /all
                
                Windows IP Configuration
                
                   Host Name . . . . . . . . . . . . : WIN-OGD8IRJJE68
                   Primary Dns Suffix  . . . . . . . :
                   Node Type . . . . . . . . . . . . : Broadcast
                   IP Routing Enabled. . . . . . . . : No
                   WINS Proxy Enabled. . . . . . . . : No
                   DNS Suffix Search List. . . . . . : bisan.net
                
                Ethernet adapter Bluetooth Network Connection:
                
                   Media State . . . . . . . . . . . : Media disconnected
                   Connection-specific DNS Suffix  . :
                   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
                   Physical Address. . . . . . . . . : 00-1E-52-E9-22-8D
                   DHCP Enabled. . . . . . . . . . . : Yes
                   Autoconfiguration Enabled . . . . : Yes
                
                Ethernet adapter Local Area Connection:
                
                   Connection-specific DNS Suffix  . : bisan.net
                   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
                   Physical Address. . . . . . . . . : 00-0C-29-81-62-78
                   DHCP Enabled. . . . . . . . . . . : Yes
                   Autoconfiguration Enabled . . . . : Yes
                   Link-local IPv6 Address . . . . . : fe80::114f:265c:123d:4f5e%11(Preferred)
                   IPv4 Address. . . . . . . . . . . : 192.168.1.12(Preferred)
                   Subnet Mask . . . . . . . . . . . : 255.255.255.0
                   Lease Obtained. . . . . . . . . . : Saturday, December 06, 2014 1:11:19 PM
                   Lease Expires . . . . . . . . . . : Saturday, December 06, 2014 3:11:19 PM
                   Default Gateway . . . . . . . . . : fe80::1:1%11
                                                       192.168.1.1
                   DHCP Server . . . . . . . . . . . : 192.168.1.1
                   DHCPv6 IAID . . . . . . . . . . . : 234884137
                   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-11-60-ED-00-0C-29-81-62-78
                
                   DNS Servers . . . . . . . . . . . : 199.85.126.20
                                                       199.85.127.20
                   NetBIOS over Tcpip. . . . . . . . : Enabled
                
                Tunnel adapter isatap.{4D448722-9269-4D9A-95BE-9D23A95EE4F8}:
                
                   Media State . . . . . . . . . . . : Media disconnected
                   Connection-specific DNS Suffix  . :
                   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
                   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
                   DHCP Enabled. . . . . . . . . . . : No
                   Autoconfiguration Enabled . . . . : Yes
                
                Tunnel adapter Local Area Connection* 13:
                
                   Connection-specific DNS Suffix  . :
                   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
                   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
                   DHCP Enabled. . . . . . . . . . . : No
                   Autoconfiguration Enabled . . . . : Yes
                   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:3481:554:3f57:fef3(Prefe
                rred)
                   Link-local IPv6 Address . . . . . : fe80::3481:554:3f57:fef3%13(Preferred)
                   Default Gateway . . . . . . . . . : ::
                   NetBIOS over Tcpip. . . . . . . . : Disabled
                
                Tunnel adapter isatap.bisan.net:
                
                   Connection-specific DNS Suffix  . : bisan.net
                   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
                   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
                   DHCP Enabled. . . . . . . . . . . : No
                   Autoconfiguration Enabled . . . . : Yes
                   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.12%16(Preferred)
                   Default Gateway . . . . . . . . . :
                   DNS Servers . . . . . . . . . . . : 199.85.126.20
                                                       199.85.127.20
                   NetBIOS over Tcpip. . . . . . . . : Disabled
                
                C:\>
                
                
                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Sounds like a problem to be solved between you and openDNS.  That or you're looking at cached results.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • P
                    phil.davis
                    last edited by

                    Those kids DNS addresses are actually for http://en.wikipedia.org/wiki/Norton_ConnectSafe - and from the WiKi they should work. I just did exactly what you are saying - static mapped an IP for one of my laptops with DNS servers (199.85.126.30 , 199.85.127.30) then started that laptop.
                    The laptop got those DNS servers. Then on that laptop browsed to playboy.com - it comes up with a Norton Connect Safe page saying "This website is not allowed."

                    Clear all caches on the devices concerned, restart everything… What you are doing should work.

                    As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                    If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                    1 Reply Last reply Reply Quote 0
                    • C
                      chercheur
                      last edited by

                      Hello,
                      I'm back on the (same) subject.

                      1)Wouldn't it be possible to consider the "DNS forwarder" to achieve my goal ?
                      2) Or ….I could create a firewall rule for port 53 just for the fixed IPs of my kids (following this : https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers) ?

                      1 Reply Last reply Reply Quote 0
                      • C
                        chris4916
                        last edited by

                        Or… you could also think about something somewhat different like HTTP proxy + filtering  ;)  (i.e. squid + squidguard)

                        Jah Olela Wembo: Les mots se muent en maux quand ils indisposent, agressent ou blessent.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.