Block an interface from resolving IPs of public internet addresses
-
In my setup I have 2 VLANs, Workstations and Servers. All the hosts are statically mapped with hostname.
What I would like to do?
-
All local machines to be able to resolve the other local machines
-
Only workstations to be able to resolve public addresses (basically have internet access)
-
Servers not to be able to resolve public addresses (basically not have internet access)
What have I done?
-
Checked Register DHCP static mappings in the DNS Resolver
-
Setup firewall rule on WORKSTATION interface to allow traffic from WORKSTATION net to This Firewall on port 53
-
Setup firewall rule on SERVER interface to allow traffic from SERVER net to This Firewall on port 53
-
Setup firewall rule on SERVER interface to block traffic from SERVER net to WAN net
What I observed?
-
Hosts on the WORKSTATION net was able to resolve local hostnames and public addresses
-
Hosts on the SERVER net was able to resolve local hostnames and public addresses
-
Hosts on the SERVER net was not able connect to the internet but on the host it says it has Internet access
-
-
Hmmm, what exactly is your question now?
-
I have allowed host1 to connect to pfsense dns. When I do this, host1 can resolve the ip address of public network (for example google.com) and my private network (mydomain.com). But host1 can't access the internet
What should I do such that host1 can only resolve ip address of my private network? The reason that I want to do this is because on my host1 it shows that it has internet access.
-
do not allow host1 for port 53. resolving the local net you can't disable anyway.
("The reason that I want to do this is because on my host1 it shows that it has internet access." Windows? Symbol for network in the lower right corner? Don't care about that… But no updates then, huh?)
-
If I block host1 from accessing the This firewall on port 53 (DNS), I cant resolve local net hostnames.
But if you say it is okay that windows shows internet access, then I guess there is no problem.
Nevertheless, thank you for the information.
-
… I reach my local resources via IP. As long as Windows can resolve names via DNS it will show "online" status, my guess. But you won't get any updates without internet access. Is it http or https that's needed to retrieve Windows updates? Dunno...
-
There's bind with views feature and this blackhole thing.
-
2nd link non-functional
TL;DR
what's the message? :-)
-
-
"Servers not to be able to resolve public addresses (basically not have internet access)"
So which is it do you want them not to resolve public or not have internet? Who gives a shit if they resolve www.cnn.com from pfsense if they don't actually have internet access. Simple firewall rule to not allow your server vlan internet access.. Just because you set up so they can not resolve www.cnn.com does not mean they cant just go http:\ipaddressofcnn for example.
-
Or, worse, irc://84.85.86.87/ botnet command and control.
If you want to block access to the internet, block it. Don't just block DNS and consider the job done.
-
Or, worse, irc://84.85.86.87/ botnet command and control.
If you want to block access to the internet, block it. Don't just block DNS and consider the job done.
I have blocked internet access using firewall but allowed access to pfSense DNS.
Its just that on my Windows Servers, the icon says it has Internet access. Stupid question but, is this okay?
-
Blocking DNS does not block access. There is this thing call IP, also known as Internet Protocol. Block this and the internet will stop working.
-
Is this the dyslexia thread? He ALLOWS DNS, but blocks internet access. headsheaking